Broadcom announced on Thursday that it has released a VMware Fusion update to patch a high-severity vulnerability.
The flaw, tracked as CVE-2026-41702 and rated ‘important’ by the vendor, was reported by Mathieu Farrell.
An advisory describes CVE-2026-41702 as a time-of-check time-of-use (TOCTOU) flaw that “occurs during an operation performed by a SETUID binary”.
“A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed,” the advisory explains.
VMware may announce several more patches in the coming days, as its products will be targeted at this week’s Pwn2Own hacking competition. VMware owner Broadcom has sent members of its security team to the event, where participants are expected to demonstrate ESX exploits that can earn them up to $200,000.
VMware Workstation, which in recent years has earned significant rewards for Pwn2Own…