CVE-2025-41239

Summary

VMware ESXi, Workstation, Fusion, and VMware Tools contains an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to leak memory from processes communicating with vSockets.

Affected Software

VendorProductVersion RangeStatus
VMwareESXi8.0 < ESXi80U3f-24784735affected
VMwareESXi8.0 < ESXi80U2e-24789317affected
VMwareESXi7.0 < ESXi70U3w-24784741affected
VMwareCloud Foundation5.x, 4.5.xaffected
VMwareWorkstation17.x < 17.6.4affected
VMwareFusion13.x < 13.6.4affected
VMwareTelco Cloud Platform5.x, 4.x, 3.x, 2.xaffected
VMwareTelco Cloud Infrastructure3.x, 2.xaffected
VMwareTools13.x.x < 13.0.1.0affected
VMwareTools12.x.x, 11.x.x, < 12.5.3affected

Weaknesses

  • CWE-908: CWE-908 Use of Uninitialized Resource

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References