CVE-2025-41236
published 2025-07-15CVE-2025-41236: VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local…
critical9.3CVSS 3.1
AVLACLPRNUINSCCHIHAH
VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative privileges on a virtual machine with VMXNET3 virtual network adapter may exploit this issue to execute code on the host. Non VMXNET3 virtual adapters are not affected by this issue.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | cloud_foundation | — | — |
| vmware | esxi | >= 7.0 < ESXi70U3w-24784741 | ESXi70U3w-24784741 |
| vmware | esxi | >= 8.0 < ESXi80U3f-24784735 | ESXi80U3f-24784735 |
| vmware | esxi | >= 8.0 < ESXi80U2e-24789317 | ESXi80U2e-24789317 |
| vmware | fusion | 13.x – 13.6.4 | — |
| vmware | telco_cloud_infrastructure | — | — |
| vmware | telco_cloud_platform | — | — |
| vmware | workstation | >= 17.x < 17.6.4 | 17.6.4 |