Multiple security holes affecting VMware’s Workstation and Fusion software have been fixed via upgrades, the most serious of which might grant code execution to a local attacker. The vulnerability, identified as CVE-2023-20869, is a stack-based buffer-overflow flaw that affects the ability of the virtual machine to share host Bluetooth devices.
The business stated that a malicious actor with local administrative rights on a virtual machine may take advantage of this flaw to run programmes as the virtual machine’s VMX process running on the host. An out-of-bounds read vulnerability affecting the same functionality that might be exploited by a local adversary with admin capabilities to read private data from a virtual machine’s hypervisor memory has also been patched by VMware.