Broadcom Patches Critical VMware ESXi, Workstation, and Fusion Vulnerabilities

EXECUTIVE SUMMARY:

Broadcom has addressed multiple critical and high-severity vulnerabilities affecting VMware ESXi, Workstation, and Fusion products, which could allow attackers to execute remote code, escalate privileges, or trigger denial-of-service conditions. These flaws, stemming from heap overflows, use-after-free bugs, and VMCI privilege issues, pose a serious risk to virtualized environments by enabling unauthorized access or compromise of host systems through malicious virtual machine activity.[emaillocker id="1283"]

• CVE-2025-41236: A use-after-free vulnerability with cvss score 9.3 in the UHCI USB controller can be exploited by a malicious VM to execute code on the host.
• CVE-2025-41237: Another use-after-free vulnerability with cvss score 9.3 in the UHCI USB controller, similar in impact, allowing code execution on the host.
• CVE-2025-41238: A heap overflow vulnerability with cvss score 7.9 in the VMCI component allows privilege escalation from a guest VM to the host.
• CVE-2025-41239: A vulnerability with cvss score 7.8 in the Bluetooth device emulation component could lead to denial of service or possible code execution.

RECOMMENDATION:

We recommend you update products to below meniton veriosn:

• SXi versions: 7.x, 8.x, and 9.x

• Workstation: 17.6.4
• Fusion: 13.6.4
• VMware Tools (Windows): 13.0.1.0, 12.5.3

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/cve-2025-43856-oauth2-account-hijacking-flaw-found-in-immich-a-popular-self-hosted-photo-platform/