CVE-2026-41702

HIGH

VMware Fusion - TOCTOU Local Privilege Escalation Vulnerability

Title source: rule

Description

VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.

References (1)

Core 1

Core References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37454

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 2.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-367

Status published

Products (1)

VMware/Fusion 2025H2 - 2026H1

Published May 15, 2026

Tracked Since May 15, 2026