VMware Addresses Critical Security Vulnerabilities

VMware has announced essential updates to its software, specifically targeting critical security vulnerabilities found in its products, including VMware ESXi, Workstation, Fusion, and related tools. These updates are designed to address four newly identified security flaws that pose significant risks.

According to a security advisory from Broadcom, which owns VMware, the vulnerabilities allow attackers with administrative permissions within a virtual machine (VM) to potentially exploit these issues. One critical vulnerability involves an integer overflow in the VMXNET3 virtual network adapter, which could enable the execution of arbitrary code on the host system. This vulnerability is classified as CVE-2025-41236 with a CVSS score of 9.3, indicating its critical risk level.

In addition to this, another critical flaw resides within the Virtual Machine Communication Interface (VMCI) code, where an integer underflow can lead to unauthorized write access outside designated memory areas. This vulnerability, identified as CVE-2025-41237, poses similar risks, allowing code execution with the rights of the VMX process on the host.

The third identified vulnerability affects the paravirtualized SCSI controller (PVSCSI) across the same products. Attackers can exploit a heap-based buffer overflow, resulting in further unauthorized access to memory outside of intended boundaries. This issue, noted as CVE-2025-41238, also has a CVSS rating of 9.3, underscoring its critical nature.

Broadcom has also identified a vulnerability involving the use of uninitialized memory in vSockets across VMware ESXi, Workstation, Fusion, and VMware Tools. Malicious actors with administrative access to a VM could leverage this flaw to extract sensitive information from memory areas associated with processes that communicate via vSockets.

In light of these findings, Broadcom has provided detailed information regarding the affected versions of VMware products and links to the necessary software updates. Given that most of these vulnerabilities are categorized as critical, it is imperative that system administrators act swiftly to install the updates to mitigate potential risks.

This recent development follows another round of security updates issued by Broadcom in early June for VMware NSX, where vulnerabilities were identified and classified as high-risk, allowing attackers to inject and execute malicious code.