VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Metrics
Affected Vendors & Products
References
History
Wed, 16 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
Tue, 15 Jul 2025 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 15 Jul 2025 18:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. | |
Title | PVSCSI heap-overflow vulnerability | |
Weaknesses | CWE-787 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: vmware
Published: 2025-07-15T18:34:48.818Z
Updated: 2025-07-16T03:56:00.818Z
Reserved: 2025-04-16T09:30:17.798Z
Link: CVE-2025-41238

Updated: 2025-07-15T20:46:34.177Z

Status : Awaiting Analysis
Published: 2025-07-15T19:15:22.413
Modified: 2025-07-15T20:07:28.023
Link: CVE-2025-41238

No data.