#VU87130 Use-after-free in VMware ESXi - CVE-2024-22252
Published: March 5, 2024 / Updated: September 4, 2024
Vulnerability identifier: #VU87130
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-22252
CWE-ID: CWE-416
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
VMware ESXi
VMware ESXi
Software vendor:
VMware, Inc
VMware, Inc
Description
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the XHCI USB controller. A remote attacker with administrative access to the guest OS can trigger a use-after-free error and execute arbitrary code on the host OS.
On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Remediation
Install updates from vendor's website.