High-Severity TOCTOU Vulnerability Patched in VMware Fusion
Broadcom has released a security update for VMware Fusion to fix CVE-2026-41702, a high-severity TOCTOU flaw that lets local non-administrative users escalate privileges to root.
Broadcom announced on Thursday that it has released a VMware Fusion update to patch a high-severity vulnerability. The flaw, tracked as CVE-2026-41702 and rated ‘important’ by the vendor, was reported by researcher Mathieu Farrell.
An advisory describes CVE-2026-41702 as a time-of-check time-of-use (TOCTOU) flaw that “occurs during an operation performed by a SETUID binary.” TOCTOU vulnerabilities arise when a program checks a condition (like file permissions) and then uses that resource later, allowing an attacker to alter the resource between the check and the use. In this case, the flaw exists in a SETUID binary, which runs with elevated privileges.
“A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed,” the advisory explains. This means an attacker who already has a foothold on a macOS system running VMware Fusion could gain full administrative control, potentially compromising the host and all virtual machines.
Broadcom’s advisory does not mention CVE-2026-41702 being used in attacks, but vulnerabilities in VMware products are often exploited in the wild. CISA’s KEV catalog currently includes 26 VMware flaws, underscoring the persistent threat these products face. The company has not provided a timeline for when a patch might be expected for other affected products, but VMware may announce several more patches in the coming days, as its products will be targeted at this week’s Pwn2Own hacking competition. VMware owner Broadcom has sent members of its security team to the event, where participants are expected to demonstrate ESX exploits that can earn them up to $200,000.
VMware Workstation, which in recent years has earned significant rewards for Pwn2Own participants, has been removed from the list of targets. The removal may indicate that Broadcom has already addressed some of the most critical vulnerabilities in that product, or that the company is focusing its resources on other areas.
Organizations using VMware Fusion should apply the latest update as soon as possible to mitigate the risk of privilege escalation attacks. Given the history of VMware flaws being actively exploited, administrators should treat this patch with high priority, even though no in-the-wild exploitation has been reported yet.