CVE-2025-41236

CRITICAL

VMware ESXi, Workstation, and Fusion - RCE

Title source: llm

Description

VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative privileges on a virtual machine with VMXNET3 virtual network adapter may exploit this issue to execute code on the host. Non VMXNET3 virtual adapters are not affected by this issue.

References (1)

Core 1

Core References

Various Sources

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

Scores

CVSS v3 9.3

EPSS 0.0013

EPSS Percentile 31.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-787

Status published

Products (8)

VMware/Cloud Foundation 5.x, 4.5.x

VMware/ESXi 7.0 - ESXi70U3w-24784741

VMware/ESXi 8.0 - ESXi80U2e-24789317

VMware/ESXi 8.0 - ESXi80U3f-24784735

VMware/Fusion 13.x - 13.6.4

VMware/Telco Cloud Infrastructure 3.x, 2.x

VMware/Telco Cloud Platform 5.x, 4.x, 3.x, 2.x

VMware/Workstation 17.x - 17.6.4

Published Jul 15, 2025

Tracked Since Feb 18, 2026