High-Severity Privilege Escalation Flaw Patched in VMware Fusion
A critical privilege escalation vulnerability (CVE-2026-41702) was discovered in VMware Fusion, Broadcom’s macOS virtualization software, allowing local attackers to gain root-level access on affected systems. The flaw, a TOCTOU (Time-of-Check Time-of-Use) race condition in a SETUID binary, was privately reported to Broadcom and patched on May 14, 2026, under security advisory VMSA-2026-0003.
The vulnerability affects VMware Fusion version 25H2 on macOS and can be exploited by a local attacker with standard user privileges no admin rights or remote access are required. Successful exploitation could lead to full system compromise, particularly in shared environments, development workstations, or enterprise endpoints.
Broadcom confirmed no workarounds exist, making the patch the only remediation. Users must upgrade to VMware Fusion 26H1 to mitigate the risk. The flaw was responsibly disclosed by security researcher Mathieu Farrell (@coiffeur0x90).
TOCTOU vulnerabilities are a known attack vector for local privilege escalation, underscoring the urgency of applying the update to close this root-level access path.
Source: https://cybersecuritynews.com/vmware-fusion-toctou-vulnerability/
Broadcom TPRM report: https://www.rankiteo.com/company/vmware
"id": "vmw1778840944",
"linkid": "vmware",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Virtualization',
'name': 'Broadcom (VMware Fusion)',
'type': 'Software Vendor'}],
'attack_vector': 'Local',
'date_publicly_disclosed': '2026-05-14',
'date_resolved': '2026-05-14',
'description': 'A critical privilege escalation vulnerability '
'(CVE-2026-41702) was discovered in VMware Fusion, Broadcom’s '
'macOS virtualization software, allowing local attackers to '
'gain root-level access on affected systems. The flaw, a '
'TOCTOU (Time-of-Check Time-of-Use) race condition in a SETUID '
'binary, was privately reported to Broadcom and patched on May '
'14, 2026, under security advisory VMSA-2026-0003.',
'impact': {'operational_impact': 'Full system compromise, particularly in '
'shared environments, development '
'workstations, or enterprise endpoints',
'systems_affected': 'VMware Fusion 25H2 on macOS'},
'investigation_status': 'Resolved',
'lessons_learned': 'TOCTOU vulnerabilities are a known attack vector for '
'local privilege escalation, underscoring the urgency of '
'applying updates.',
'post_incident_analysis': {'corrective_actions': 'Patch released (VMware '
'Fusion 26H1)',
'root_causes': 'TOCTOU (Time-of-Check Time-of-Use) '
'race condition in a SETUID binary'},
'recommendations': 'Users must upgrade to VMware Fusion 26H1 to mitigate the '
'risk.',
'references': [{'source': 'Security researcher Mathieu Farrell '
'(@coiffeur0x90)'},
{'source': 'Broadcom Security Advisory VMSA-2026-0003'}],
'response': {'communication_strategy': 'Security advisory VMSA-2026-0003',
'containment_measures': 'Patch released (VMware Fusion 26H1)',
'remediation_measures': 'Upgrade to VMware Fusion 26H1'},
'title': 'High-Severity Privilege Escalation Flaw Patched in VMware Fusion',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'TOCTOU (Time-of-Check Time-of-Use) race condition '
'in a SETUID binary'}