#VU48602 Use-after-free in VMware, Inc products - CVE-2020-4004
Published: November 20, 2020 / Updated: November 23, 2020
Vulnerability identifier: #VU48602
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-4004
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
VMware ESXi
VMware Fusion
VMware Workstation
Cloud Foundation
VMware ESXi
VMware Fusion
VMware Workstation
Cloud Foundation
Software vendor:
VMware, Inc
VMware, Inc
Description
The vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the XHCI USB controller. A local administrator can execute arbitrary code as the virtual machine's VMX process running on the host
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install updates from vendor's website.