Heap-based Buffer Overflow in VMware Workstation (CVE‑2025‑41238) Enables Local Privilege Escalation
What It Is – A heap‑based buffer overflow in the PVSCSI virtual device driver of VMware Workstation allows a local attacker to corrupt heap memory and execute arbitrary code with hypervisor privileges.
Exploitability – The flaw is locally exploitable; an attacker must first run code on a guest VM. No public exploit or ransomware‑as‑a‑service has been observed, but a proof‑of‑concept was demonstrated at Pwn2Own 2025. CVSS 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Affected Products – VMware Workstation (all supported versions prior to the March 2026 security update).
TPRM Impact – Compromise of a single workstation can lead to hypervisor takeover, exposing all co‑tenant VMs and any data they host. This creates a supply‑chain risk for organizations that rely on VMware‑based development, testing, or production environments supplied by third‑party service providers.
Recommended Actions –
- Deploy VMware’s March 2026 patch immediately on all Workstation installations.
- Verify the installed version via
vmware -vand confirm the patch level (≥ 16.3.2). - Conduct a forensic review of any Workstation VMs that have run untrusted code since 2025‑05‑23.
- Update endpoint hardening policies to block execution of unsigned binaries inside VMs.
- Add the CVE to your vulnerability management dashboard and monitor for any related IOC alerts.