Broadcom introduced on Thursday that it has launched a VMware Fusion replace to patch a high-severity vulnerability.
The flaw, tracked as CVE-2026-41702 and rated ‘vital’ by the seller, was reported by Mathieu Farrell.
An advisory describes CVE-2026-41702 as a time-of-check time-of-use (TOCTOU) flaw that “happens throughout an operation carried out by a SETUID binary”.
“A malicious actor with native non-administrative person privileges might exploit this vulnerability to escalate privileges to root on the system the place Fusion is put in,” the advisory explains.
VMware might announce a number of extra patches within the coming days, as its merchandise might be focused at this week’s Pwn2Own hacking competitors. VMware proprietor Broadcom has despatched members of its security staff to the occasion, the place members are anticipated to display ESX exploits that may earn them as much as $200,000.
VMware Workstation, which in recent times has earned vital rewards for Pwn2Own members, has been faraway from the listing of targets.
Broadcom’s advisory doesn’t point out CVE-2026-41702 being utilized in assaults, however vulnerabilities in VMware merchandise are sometimes exploited within the wild. CISA’s KEV catalog presently contains 26 VMware flaws.
