Broadcom announced on Thursday that it has released a VMware Fusion update to patch a high-severity vulnerability.
The flaw, tracked as CVE-2026-41702 and rated ‘important’ by the vendor, was reported by Mathieu Farrell.
An advisory describes CVE-2026-41702 as a time-of-check time-of-use (TOCTOU) flaw that “occurs during an operation performed by a SETUID binary”.
“A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed,” the advisory explains.
VMware may announce several more patches in the coming days, as its products will be targeted at this week’s Pwn2Own hacking competition. VMware owner Broadcom has sent members of its security team to the event, where participants are expected to demonstrate ESX exploits that can earn them up to $200,000.
VMware Workstation, which in recent years has earned significant rewards for Pwn2Own participants, has been removed from the list of targets.
Broadcom’s advisory does not mention CVE-2026-41702 being used in attacks, but vulnerabilities in VMware products are often exploited in the wild. CISA’s KEV catalog currently includes 26 VMware flaws.
Related: VMware Aria Operations Vulnerability Could Allow Remote Code Execution
Related: 2024 VMware Flaw Now in Attackers’ Crosshairs
Related: Exploit for VMware Zero-Day Flaws Likely Built a Year Before Public Disclosure
