Omanghana
Broadcom has issued an important security update for VMware Fusion to address a high-severity local privilege escalation vulnerability identified as CVE-2026-41702.
The flaw could allow attackers with basic local access to a Mac device to gain full administrator-level control, prompting security experts to urge users to update immediately.
According to Broadcom’s security advisory, the issue is classified as a Time-of-Check Time-of-Use (TOCTOU) vulnerability. The flaw occurs during a specific operation performed by a SETUID binary within VMware Fusion.
Security researchers warn that a malicious user with non-administrative local access could exploit the vulnerability to silently elevate privileges to root access, effectively gaining complete control over the affected system.
The company assigned the flaw an “Important” severity rating with a CVSSv3 base score of 7.8.
Broadcom stated that there is currently no evidence the vulnerability has been exploited in the wild. The issue was privately reported by security researcher Mathieu Farrell and coordinated alongside the ongoing Pwn2Own Berlin 2026 hacking competition in Berlin.
Cybersecurity analysts note that additional VMware-related security patches could emerge in the coming days due to disclosures associated with the event.
The vulnerability affects:
- VMware Fusion 25H2
The issue has been resolved in:
- VMware Fusion 26H1
Broadcom emphasized that there are currently no workarounds available for the vulnerability, making software updates the only effective mitigation.
Mac users running VMware Fusion are strongly advised to install the latest patched version immediately to prevent unauthorized administrative access to their systems.
Users can obtain the updated software and review official security guidance through the Broadcom Support Portal and the VMware Security Blog.
Source: Omanghana
