Ref: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Impacted Products

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform

Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. VMCI heap-overflow vulnerability (CVE-2025-22224)

Description: VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution: To remediate CVE-2025-22224 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22224 has occurred in the wild. 3b. VMware ESXi arbitrary write vulnerability (CVE-2025-22225)

Description: VMware ESXi contains an arbitrary write vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.

Known Attack Vectors: A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

Resolution: To remediate CVE-2025-22225 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22225 has occurred in the wild. 3c. HGFS information-disclosure vulnerability (CVE-2025-22226)

Description: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors: A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Resolution: To remediate CVE-2025-22226 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22226 has occurred in the wild.