CVE-2025-41238Out-of-bounds Write in Vmware Esxi

CWE-787Out-of-bounds Write4 documents4 sources
Severity
9.3CRITICALNVD
EPSS
0.0%
top 86.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Vmware EsxiVmware FusionVmware Workstation+3 more
Timeline
PublishedJul 15
Latest updateJul 17

Description

VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.5 | Impact: 6.0

Affected Packages6 packages

CVEListV5vmware/fusion13.x13.6.4
CVEListV5vmware/workstation17.x17.6.4
CVEListV5vmware/esxi8.0ESXi80U3f-24784735+2
CVEListV5vmware/cloud_foundation5.x, 4.5.x
CVEListV5vmware/telco_cloud_platform5.x, 4.x, 3.x, 2.x

🔴Vulnerability Details

2
GHSA
GHSA-x6g2-w5w8-r8xx: VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bou2025-07-15
CVEList
PVSCSI heap-overflow vulnerability2025-07-15

🕵️Threat Intelligence

1
Bleepingcomputer
VMware fixes four ESXi zero-day bugs exploited at Pwn2Own Berlin2025-07-17
CVE-2025-41238 — Out-of-bounds Write in Vmware Esxi | cvebase