VMware Fusion contains a TOCTOU (Time-of-check Time-of... · CVE-2026-41702 · GitHub Advisory Database · GitHub

VMware Fusion contains a TOCTOU (Time-of-check Time-of...

High severity Unreviewed Published May 15, 2026 to the GitHub Advisory Database • Updated May 15, 2026

Package

No package listed— Suggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.

References

Published by the National Vulnerability Database

May 15, 2026

Published to the GitHub Advisory Database May 15, 2026

Last updated May 15, 2026

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H