CVE-2026-41702
Description
VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
VMware Fusion contains a TOCTOU vulnerability in a SETUID binary that allows local non-administrative users to escalate privileges to root.
CVE-2026-41702 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware Fusion, specifically occurring during an operation performed by a SETUID binary. This race condition can be exploited by a local attacker to gain elevated privileges [1].
To exploit this vulnerability, an attacker must have local non-administrative user privileges on the system where Fusion is installed. No authentication is required beyond initial local access, and the attack is performed locally [1].
The impact of successful exploitation is privilege escalation to root, granting the attacker full control over the affected system [1].
Broadcom has released patches to remediate this issue in VMware Fusion 26H1. No workarounds are available, and users are advised to apply the updates [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
2- Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation FlawsThe Hacker News · May 18, 2026
- High-Severity Vulnerability Patched in VMware FusionSecurityWeek · May 14, 2026