CVE-2026-41702

Summary

VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.

Affected Software

VendorProductVersion RangeStatus
VMwareFusion2025H2 < 2026H1affected

Weaknesses

  • CWE-367: CWE-367 Time-of-check time-of-use (TOCTOU) race condition

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References