Critical VMware Fusion Vulnerability Allows Local Privilege Escalation

Severity: High (Score: 72.0)

Sources: Scworld, Gbhackers, Cybersecuritynews, Securityaffairs.Co

Summary

Broadcom has released a critical security update for VMware Fusion to address CVE-2026-41702, a high-severity vulnerability that allows local attackers to escalate privileges to root on affected macOS systems. This TOCTOU (Time-of-Check Time-of-Use) flaw can be exploited by users with non-administrative privileges, enabling them to gain complete control over the system. The vulnerability was privately reported to Broadcom and patched on May 14, 2026. VMware Fusion is widely used by developers and IT professionals, making this flaw particularly concerning for organizations relying on this software. While the vulnerability requires local access, it significantly increases risks from compromised user accounts and insider threats. The CVSS score for this vulnerability is 7.8, indicating its potential impact in real-world environments. Key Points: • CVE-2026-41702 allows local privilege escalation to root on macOS systems running VMware Fusion. • The vulnerability is categorized as high severity with a CVSS score of 7.8. • Broadcom released a patch for this vulnerability on May 14, 2026.

Key Entities

• Broadcom (company)
• VMware (tool)
• CVE-2026-41702 (cve)
• CWE-269 - Improper Privilege Management (cwe)
• Cwe-362 - Race Condition (cwe)
• CWE-367 - TOCTOU Race Condition (cwe)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• MacOS (platform)
• VMware Fusion (platform)