CVE-2025-41238

Published Jul 15, 2025

Last updated 3 days ago

CVSS critical 9.3

Overview

Description
VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Source
security@vmware.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.3
Impact score
6
Exploitability score
2.5
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@vmware.com
CWE-787

Social media

Hype score
Not currently trending

  1. VMware fixes four ESXi zero-day bugs exploited at Pwn2Own Berlin https://t.co/KO82Sd0KdG "These flaws are tracked as CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238." https://t.co/rWZTWhLtnz

    @catnap707

    17 Jul 2025

    183 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. VMSA-2025-0013: VMware ESXi, Workstation, Fusion, and Tools updates address multiple vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239) Classification: Critical Solution: Official Fix Exploit Maturity: Not Defined Issue date: 2025-07-15 CVSSv3 htt

    @endi24

    16 Jul 2025

    893 Impressions

    3 Retweets

    4 Likes

    4 Bookmarks

    2 Replies

    0 Quotes

  3. ⚠️ VMware ESXi & Workstation Vulnerabilities Let Attackers Execute Malicious Code on Host Read more: https://t.co/LIl3CHzuTP 1. VMware patched CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239 targeting VMXNET3, VMCI, PVSCSI, and vSockets components.

    @The_Cyber_News

    16 Jul 2025

    1237 Impressions

    5 Retweets

    16 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  4. ブロードコム社がVMware製品群の重大(Critical)な脆弱性を修正。CVSSスコア9.3が3件で、ESXi、Workstation、Fusionに影響。 https://t.co/scugRcjZt3 CVE-2025-41236はVMXNET3における整数オーバーフロー、CVE-2025-41237はVMCIにおける整数

    @__kokumoto

    15 Jul 2025

    5114 Impressions

    21 Retweets

    48 Likes

    13 Bookmarks

    1 Reply

    3 Quotes

References

Sources include official advisories and independent security research.