Description
VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.
Published: 2026-05-15
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a TOCTOU condition in a SETUID binary that runs with elevated privileges. A local non‑administrator can leverage this flaw to execute arbitrary actions as root, enabling full system compromise. The weakness is categorized as CWE‑367.

Affected Systems

VMware Fusion; specific versions were not disclosed in the advisory.

Risk and Exploitability

The flaw provides a local attack vector: an attacker needs user privileges on the host where Fusion is installed and can manipulate files between a check and use, leading to privilege escalation. The CVSS score of 7.8 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Consequently, the risk is high for systems running vulnerable versions of VMware Fusion without remedial action.

Generated by OpenCVE AI on May 15, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available updates to VMware Fusion provided by Broadcom/VMware that address the TOCTOU flaw.
  • If an update is not yet available, remove or restrict the vulnerable SETUID binary to prevent execution by non‑admin users.
  • As a temporary measure, configure file system permissions or host lockdown to disallow the creation of files in directories accessed by the SETUID binary.

Generated by OpenCVE AI on May 15, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware fusion
Vendors & Products Vmware
Vmware fusion

Fri, 15 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.
Title TOCTOU local privilege escalation vulnerability
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Vmware Fusion
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-05-15T09:52:56.934Z

Reserved: 2026-04-22T06:21:22.982Z

Link: CVE-2026-41702

cve-icon Vulnrichment

Updated: 2026-05-15T09:52:51.216Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-15T07:16:18.923

Modified: 2026-05-15T14:11:57.190

Link: CVE-2026-41702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T08:30:40Z

Weaknesses