CVE-2021-21988

low-risk

Published 2021-05-24

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (JPEG2000 Parser). A malicious actor with access to a virtual machine or remote desktop may be able to exploit these issues leading to information disclosure from the TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

LOCAL / LOW complexity

Affected Products (2)

Workstation

Horizon Client

Affected Vendors

Vmware

References (4)

Patch https://www.vmware.com/security/advisories/VMSA-2021-0009.html

Third Party Advisory https://www.zerodayinitiative.com/advisories/ZDI-21-609/

Patch https://www.vmware.com/security/advisories/VMSA-2021-0009.html

Third Party Advisory https://www.zerodayinitiative.com/advisories/ZDI-21-609/

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 7/34 · Low