VMware published an advisory to address a heap-overflow vulnerability (CVE-2021-22045) in VMware Workstation, Fusion, and ESXi. The vulnerability was reported privately to the company. VMware stated that the updates to remediate the vulnerability are currently available for users to apply.
CVSSv3 base score of 7.7
The heap-overflow vulnerability was found in the CD-ROM device emulation in VMware products. It allows unauthorized third parties to exploit the vulnerability in conjunction with other issues allowing them to execute code on the hypervisor from a virtual machine. It has a CVSSv3 base score of 7.7, which is within the important severity range.
Affected versions and fixed versions are:
- ESXi 7.0 – Patch pending
- ESXi 6.7 – Fixed version: ESXi670-202111101-SG
- ESXi 6.5 – Fixed version: ESXi650-202110101-SG
- Workstation 16.x – Fixed version: 16.2.0
- Fusion 12.x – Fixed version: 12.2.0
VMware also provided workarounds for the heap-overflow vulnerability, which can be found in the advisory.