Out-of-bounds read in VMware ESXi

#VU93318 Out-of-bounds read in VMware ESXi

Published: 2024-06-25

Vulnerability identifier: #VU93318

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-37086

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
VMware ESXi
Operating systems & Components / Operating system

Vendor: VMware, Inc

Description

The vulnerability allows a malicious user on the guest OS to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition. An attacker with access to the guest OS can trigger an out-of-bounds read and crash the host OS.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: 7.0 - ESXi80U2sb-23305545

External links
http://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
http://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-803-release-notes/index.html
http://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3q-release-notes/index.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell PowerStore Family update for VMware vulnerabilities

Multiple vulnerabilities in VMware ESXi