Broadcom releases VMware Fusion security update for root access bug

Broadcom patched a high-severity VMware Fusion flaw, CVE-2026-41702, that could let local attackers gain root privileges.

Broadcom released a security update for VMware Fusion to address a high-severity vulnerability, tracked as CVE-2026-41702, that could allow local attackers to escalate privileges to root on affected systems.

The flaw is a time-of-check time-of-use (TOCTOU) vulnerability affecting operations performed by a SETUID binary that was reported by security researcher Mathieu Farrell.

Broadcom explained that an attacker with local non-administrative user privileges can exploit the bug to escalate privileges to root on the system where Fusion is installed.

“A local privilege escalation vulnerability in VMware Fusion was privately reported to Broadcom.” reads the advisory. “Updates are available to remediate this vulnerability in affected Broadcom products.”

Successful exploitation could allow attackers with limited access to gain full control of vulnerable machines, significantly increasing the risk posed by compromised user accounts or insider threats.

TOCTOU vulnerabilities occur when a system checks the state of a resource and later uses it without ensuring that the state has not changed in the meantime. Attackers can exploit this timing gap to manipulate files, permissions, or other resources and execute unauthorized actions with elevated privileges.

VMware Fusion is widely used by developers, IT professionals, and security researchers to run virtual machines on macOS systems. Because the vulnerability requires local access, it does not expose systems directly to remote compromise. However, privilege escalation flaws remain highly valuable to attackers because they can turn a limited foothold into complete system compromise.

The patch arrives as Broadcom participates in the Pwn2Own hacking competition taking place this week in Berlin. The event, organized by Trend Micro’s Zero Day Initiative, brings together some of the world’s top security researchers to demonstrate zero-day exploits targeting widely used enterprise and consumer technologies.

VMware products have historically attracted strong interest from Pwn2Own participants due to the high value of virtualization exploits. This year, participants are expected to showcase attacks against VMware ESX, with successful demonstrations potentially earning rewards of up to $200,000.

Interestingly, VMware Workstation, which has frequently appeared as a target in previous Pwn2Own editions and generated significant payouts for researchers, was removed from this year’s list of eligible targets.

Organizations and users running VMware Fusion are advised to apply the latest updates as soon as possible to reduce the risk of privilege escalation attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VMware Fusion)