Use-after-free in VMware ESXi - CVE-2024-22253
Published: March 5, 2024 / Updated: September 4, 2024
Vulnerability identifier: #VU87131
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-22253
CWE-ID: CWE-416
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
VMware ESXi
VMware ESXi
Detailed vulnerability description
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the UHCI USB controller. A remote attacker with administrative access to the guest OS can trigger a use-after-free error and execute arbitrary code on the host OS.
On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
How to mitigate CVE-2024-22253
Install updates from vendor's website.