CVE-2021-22040

high-risk

Published 2022-02-16

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Do I need to act?

0.66% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.7/10 Medium

LOCAL / LOW complexity

Affected Products (20)

Cloud Foundation

Fusion

Workstation Player

Workstation Pro

Esxi

Affected Vendors

Vmware

References (2)

Patch https://www.vmware.com/security/advisories/VMSA-2022-0004.html

/ 100

high-risk

Severity 21/34 · High

Exploitability 2/34 · Minimal

Exposure 33/34 · Critical