CVE-2025-41237CRITICAL 9.3EPSS p31.0%

CVE-2025-41237CVE-2025-41237

Description

VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Scoring

CVSS 3.19.3 (CRITICAL)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 31.0% · 2026-06-19T12:03:05Z
Published2025-07-15
Last modified2026-04-15

Underlying weaknesses· 1

CWE-787

References

  1. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

1

TypeTargetConfidenceTier
WeaknessOut-of-bounds Writecwe-7870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-41238
CVE
CVE-2025-41236
CVE
VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability
CVE
VMware ESXi Arbitrary Write Vulnerability
CVE
VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE
VMware vCenter Server Heap-Based Buffer Overflow Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.