Hardware virtualisation vendor VMware has issued patches for two vulnerabilities rated as critical severity, with system administrators recommended to apply the updates immediately.
Five bugs, indexed with the Common Vulnerabilities and Exposures (CVE) system, are being patched by VMware.
Security researchers in China's Tianfu Cup Pwn contest discovered two flaws in VMware's implementation of the universal serial bus component of the extensible host controller interface (XHCI).
Attackers with local administrative privileges can exploit use-after-free and double-fetch vulnerabilities to execute code, with the privileges of the virtual machine VMX process, running on the host system.
The critical vulnerabilities, CVE-2021-22040 and CVE-2021-22041 both have a Common Vulnerabilities Scoring System rating of 8.4.
In 2020, researchers taking part in the Tianfu Cup Pwn contest found seven flaws, rated as critical, in the XHCI USB controller.
Vulnerabilities rated as important to fix in VMware ESXi, Fusion, Workstation and Cloud Foundation include settings being open to unauthorised access and privilege escalation.
VMware ESXi is also vulnerable to a slow HTTP POST request denial of service attack, which the company rates as being of moderate severity.
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
