CVE-2024-22253
CRITICALDescription
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Is your site exposed to CVE-2024-22253?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| vmware | cloud_foundation |
| vmware | workstation |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | esxi |
| vmware | fusion |
| apple | macos |
References
Frequently Asked Questions
What is CVE-2024-22253? +
How severe is CVE-2024-22253? +
What products are affected by CVE-2024-22253? +
How do I check if I'm vulnerable to CVE-2024-22253? +
Related Vulnerabilities
A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the …
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice …
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder …
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue …
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an …
There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP …