#VU93318 Out-of-bounds read in VMware ESXi - CVE-2024-37086

Cybersecurity Help s.r.o.

Published: 2024-06-25

Vulnerability identifier: #VU93318

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-37086

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
VMware ESXi
Operating systems & Components / Operating system

Vendor: VMware, Inc

Description

The vulnerability allows a malicious user on the guest OS to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition. An attacker with access to the guest OS can trigger an out-of-bounds read and crash the host OS.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

VMware ESXi: ESXi70U1c-17325551 - 8.0

External links
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-803-release-notes/index.html
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3q-release-notes/index.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

PowerProtect Data Protection software update for third-party components

Multiple vulnerabilities in IBM Cloud Pak System

Dell PowerStore Family update for VMware vulnerabilities

Multiple vulnerabilities in VMware ESXi