VMware has released fixes for several flaws that together could allow attackers to execute malicious code on the host system from inside a virtual machine, bypassing the critical isolation layer. Some of the flaws are in the virtualized USB controllers, so they impact most VMware hypervisors: VMware ESXi, VMware Workstation, VMware Fusion, and VMware Cloud Foundation.
The new security patches released this week address two use-after-free memory vulnerabilities in the UHCI USB and XHCI USB controllers — CVE-2024-22252 and CVE-2024-22253. These are the virtualized controllers that enable the use of USB devices inside VMware virtual machines. The flaws are both rated with 9.3 out of 10 on the CVSS severity scale.