VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machines VMX process running on the host.
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cloud_foundation | Vmware | 3.0 (including) | 3.11 (excluding) |
| Cloud_foundation | Vmware | 4.0 (including) | 4.4 (excluding) |
| Fusion | Vmware | 12.0.0 (including) | 12.2.1 (excluding) |
| Workstation_player | Vmware | 16.0.0 (including) | 16.2.1 (excluding) |
| Workstation_pro | Vmware | 16.0.0 (including) | 16.2.1 (excluding) |
| Esxi | Vmware | 6.5 (including) | 6.5 (including) |
| Esxi | Vmware | 6.5-650-202202401 (including) | 6.5-650-202202401 (including) |
| Esxi | Vmware | 6.7 (including) | 6.7 (including) |
| Esxi | Vmware | 6.7-670-201806001 (including) | 6.7-670-201806001 (including) |
| Esxi | Vmware | 6.7-670-201807001 (including) | 6.7-670-201807001 (including) |
| Esxi | Vmware | 6.7-670-201808001 (including) | 6.7-670-201808001 (including) |
| Esxi | Vmware | 6.7-670-201810001 (including) | 6.7-670-201810001 (including) |
| Esxi | Vmware | 6.7-670-201810101 (including) | 6.7-670-201810101 (including) |
| Esxi | Vmware | 6.7-670-201810102 (including) | 6.7-670-201810102 (including) |
| Esxi | Vmware | 6.7-670-201810103 (including) | 6.7-670-201810103 (including) |
| Esxi | Vmware | 6.7-670-201810201 (including) | 6.7-670-201810201 (including) |
| Esxi | Vmware | 6.7-670-201810202 (including) | 6.7-670-201810202 (including) |
| Esxi | Vmware | 6.7-670-201810203 (including) | 6.7-670-201810203 (including) |
| Esxi | Vmware | 6.7-670-201810204 (including) | 6.7-670-201810204 (including) |
| Esxi | Vmware | 6.7-670-201810205 (including) | 6.7-670-201810205 (including) |
| Esxi | Vmware | 6.7-670-201810206 (including) | 6.7-670-201810206 (including) |
| Esxi | Vmware | 6.7-670-201810207 (including) | 6.7-670-201810207 (including) |
| Esxi | Vmware | 6.7-670-201810208 (including) | 6.7-670-201810208 (including) |
| Esxi | Vmware | 6.7-670-201810209 (including) | 6.7-670-201810209 (including) |
| Esxi | Vmware | 6.7-670-201810210 (including) | 6.7-670-201810210 (including) |
| Esxi | Vmware | 6.7-670-201810211 (including) | 6.7-670-201810211 (including) |
| Esxi | Vmware | 6.7-670-201810212 (including) | 6.7-670-201810212 (including) |
| Esxi | Vmware | 6.7-670-201810213 (including) | 6.7-670-201810213 (including) |
| Esxi | Vmware | 6.7-670-201810214 (including) | 6.7-670-201810214 (including) |
| Esxi | Vmware | 6.7-670-201810215 (including) | 6.7-670-201810215 (including) |
| Esxi | Vmware | 6.7-670-201810216 (including) | 6.7-670-201810216 (including) |
| Esxi | Vmware | 6.7-670-201810217 (including) | 6.7-670-201810217 (including) |
| Esxi | Vmware | 6.7-670-201810218 (including) | 6.7-670-201810218 (including) |
| Esxi | Vmware | 6.7-670-201810219 (including) | 6.7-670-201810219 (including) |
| Esxi | Vmware | 6.7-670-201810220 (including) | 6.7-670-201810220 (including) |
| Esxi | Vmware | 6.7-670-201810221 (including) | 6.7-670-201810221 (including) |
| Esxi | Vmware | 6.7-670-201810222 (including) | 6.7-670-201810222 (including) |
| Esxi | Vmware | 6.7-670-201810223 (including) | 6.7-670-201810223 (including) |
| Esxi | Vmware | 6.7-670-201810224 (including) | 6.7-670-201810224 (including) |
| Esxi | Vmware | 6.7-670-201810225 (including) | 6.7-670-201810225 (including) |
| Esxi | Vmware | 6.7-670-201810226 (including) | 6.7-670-201810226 (including) |
| Esxi | Vmware | 6.7-670-201810227 (including) | 6.7-670-201810227 (including) |
| Esxi | Vmware | 6.7-670-201810228 (including) | 6.7-670-201810228 (including) |
| Esxi | Vmware | 6.7-670-201810229 (including) | 6.7-670-201810229 (including) |
| Esxi | Vmware | 6.7-670-201810230 (including) | 6.7-670-201810230 (including) |
| Esxi | Vmware | 6.7-670-201810231 (including) | 6.7-670-201810231 (including) |
| Esxi | Vmware | 6.7-670-201810232 (including) | 6.7-670-201810232 (including) |
| Esxi | Vmware | 6.7-670-201810233 (including) | 6.7-670-201810233 (including) |
| Esxi | Vmware | 6.7-670-201810234 (including) | 6.7-670-201810234 (including) |
| Esxi | Vmware | 6.7-670-201811001 (including) | 6.7-670-201811001 (including) |
| Esxi | Vmware | 6.7-670-201901001 (including) | 6.7-670-201901001 (including) |
| Esxi | Vmware | 6.7-670-201901401 (including) | 6.7-670-201901401 (including) |
| Esxi | Vmware | 6.7-670-201901402 (including) | 6.7-670-201901402 (including) |
| Esxi | Vmware | 6.7-670-201901403 (including) | 6.7-670-201901403 (including) |
| Esxi | Vmware | 6.7-670-201903001 (including) | 6.7-670-201903001 (including) |
| Esxi | Vmware | 6.7-670-201904001 (including) | 6.7-670-201904001 (including) |
| Esxi | Vmware | 6.7-670-201904201 (including) | 6.7-670-201904201 (including) |
| Esxi | Vmware | 6.7-670-201904201-ug (including) | 6.7-670-201904201-ug (including) |
| Esxi | Vmware | 6.7-670-201904202 (including) | 6.7-670-201904202 (including) |
| Esxi | Vmware | 6.7-670-201904202-ug (including) | 6.7-670-201904202-ug (including) |
| Esxi | Vmware | 6.7-670-201904203 (including) | 6.7-670-201904203 (including) |
| Esxi | Vmware | 6.7-670-201904203-ug (including) | 6.7-670-201904203-ug (including) |
| Esxi | Vmware | 6.7-670-201904204 (including) | 6.7-670-201904204 (including) |
| Esxi | Vmware | 6.7-670-201904204-ug (including) | 6.7-670-201904204-ug (including) |
| Esxi | Vmware | 6.7-670-201904205 (including) | 6.7-670-201904205 (including) |
| Esxi | Vmware | 6.7-670-201904205-ug (including) | 6.7-670-201904205-ug (including) |
| Esxi | Vmware | 6.7-670-201904206 (including) | 6.7-670-201904206 (including) |
| Esxi | Vmware | 6.7-670-201904206-ug (including) | 6.7-670-201904206-ug (including) |
| Esxi | Vmware | 6.7-670-201904207 (including) | 6.7-670-201904207 (including) |
| Esxi | Vmware | 6.7-670-201904207-ug (including) | 6.7-670-201904207-ug (including) |
| Esxi | Vmware | 6.7-670-201904208 (including) | 6.7-670-201904208 (including) |
| Esxi | Vmware | 6.7-670-201904208-ug (including) | 6.7-670-201904208-ug (including) |
| Esxi | Vmware | 6.7-670-201904209 (including) | 6.7-670-201904209 (including) |
| Esxi | Vmware | 6.7-670-201904209-ug (including) | 6.7-670-201904209-ug (including) |
| Esxi | Vmware | 6.7-670-201904210 (including) | 6.7-670-201904210 (including) |
| Esxi | Vmware | 6.7-670-201904210-ug (including) | 6.7-670-201904210-ug (including) |
| Esxi | Vmware | 6.7-670-201904211 (including) | 6.7-670-201904211 (including) |
| Esxi | Vmware | 6.7-670-201904211-ug (including) | 6.7-670-201904211-ug (including) |
| Esxi | Vmware | 6.7-670-201904212 (including) | 6.7-670-201904212 (including) |
| Esxi | Vmware | 6.7-670-201904212-ug (including) | 6.7-670-201904212-ug (including) |
| Esxi | Vmware | 6.7-670-201904213 (including) | 6.7-670-201904213 (including) |
| Esxi | Vmware | 6.7-670-201904213-ug (including) | 6.7-670-201904213-ug (including) |
| Esxi | Vmware | 6.7-670-201904214 (including) | 6.7-670-201904214 (including) |
| Esxi | Vmware | 6.7-670-201904214-ug (including) | 6.7-670-201904214-ug (including) |
| Esxi | Vmware | 6.7-670-201904215 (including) | 6.7-670-201904215 (including) |
| Esxi | Vmware | 6.7-670-201904215-ug (including) | 6.7-670-201904215-ug (including) |
| Esxi | Vmware | 6.7-670-201904216 (including) | 6.7-670-201904216 (including) |
| Esxi | Vmware | 6.7-670-201904216-ug (including) | 6.7-670-201904216-ug (including) |
| Esxi | Vmware | 6.7-670-201904217 (including) | 6.7-670-201904217 (including) |
| Esxi | Vmware | 6.7-670-201904217-ug (including) | 6.7-670-201904217-ug (including) |
| Esxi | Vmware | 6.7-670-201904218 (including) | 6.7-670-201904218 (including) |
| Esxi | Vmware | 6.7-670-201904218-ug (including) | 6.7-670-201904218-ug (including) |
| Esxi | Vmware | 6.7-670-201904219 (including) | 6.7-670-201904219 (including) |
| Esxi | Vmware | 6.7-670-201904219-ug (including) | 6.7-670-201904219-ug (including) |
| Esxi | Vmware | 6.7-670-201904220 (including) | 6.7-670-201904220 (including) |
| Esxi | Vmware | 6.7-670-201904220-ug (including) | 6.7-670-201904220-ug (including) |
| Esxi | Vmware | 6.7-670-201904221 (including) | 6.7-670-201904221 (including) |
| Esxi | Vmware | 6.7-670-201904221-ug (including) | 6.7-670-201904221-ug (including) |
| Esxi | Vmware | 6.7-670-201904222 (including) | 6.7-670-201904222 (including) |
| Esxi | Vmware | 6.7-670-201904222-ug (including) | 6.7-670-201904222-ug (including) |
| Esxi | Vmware | 6.7-670-201904223 (including) | 6.7-670-201904223 (including) |
| Esxi | Vmware | 6.7-670-201904223-ug (including) | 6.7-670-201904223-ug (including) |
| Esxi | Vmware | 6.7-670-201904224 (including) | 6.7-670-201904224 (including) |
| Esxi | Vmware | 6.7-670-201904224-ug (including) | 6.7-670-201904224-ug (including) |
| Esxi | Vmware | 6.7-670-201904225 (including) | 6.7-670-201904225 (including) |
| Esxi | Vmware | 6.7-670-201904225-ug (including) | 6.7-670-201904225-ug (including) |
| Esxi | Vmware | 6.7-670-201904226 (including) | 6.7-670-201904226 (including) |
| Esxi | Vmware | 6.7-670-201904226-ug (including) | 6.7-670-201904226-ug (including) |
| Esxi | Vmware | 6.7-670-201904227 (including) | 6.7-670-201904227 (including) |
| Esxi | Vmware | 6.7-670-201904227-ug (including) | 6.7-670-201904227-ug (including) |
| Esxi | Vmware | 6.7-670-201904228 (including) | 6.7-670-201904228 (including) |
| Esxi | Vmware | 6.7-670-201904228-ug (including) | 6.7-670-201904228-ug (including) |
| Esxi | Vmware | 6.7-670-201904229 (including) | 6.7-670-201904229 (including) |
| Esxi | Vmware | 6.7-670-201904229-ug (including) | 6.7-670-201904229-ug (including) |
| Esxi | Vmware | 6.7-670-201905001 (including) | 6.7-670-201905001 (including) |
| Esxi | Vmware | 6.7-670-201906002 (including) | 6.7-670-201906002 (including) |
| Esxi | Vmware | 6.7-670-201908101 (including) | 6.7-670-201908101 (including) |
| Esxi | Vmware | 6.7-670-201908102 (including) | 6.7-670-201908102 (including) |
| Esxi | Vmware | 6.7-670-201908103 (including) | 6.7-670-201908103 (including) |
| Esxi | Vmware | 6.7-670-201908104 (including) | 6.7-670-201908104 (including) |
| Esxi | Vmware | 6.7-670-201908201 (including) | 6.7-670-201908201 (including) |
| Esxi | Vmware | 6.7-670-201908202 (including) | 6.7-670-201908202 (including) |
| Esxi | Vmware | 6.7-670-201908203 (including) | 6.7-670-201908203 (including) |
| Esxi | Vmware | 6.7-670-201908204 (including) | 6.7-670-201908204 (including) |
| Esxi | Vmware | 6.7-670-201908205 (including) | 6.7-670-201908205 (including) |
| Esxi | Vmware | 6.7-670-201908206 (including) | 6.7-670-201908206 (including) |
| Esxi | Vmware | 6.7-670-201908207 (including) | 6.7-670-201908207 (including) |
| Esxi | Vmware | 6.7-670-201908208 (including) | 6.7-670-201908208 (including) |
| Esxi | Vmware | 6.7-670-201908209 (including) | 6.7-670-201908209 (including) |
| Esxi | Vmware | 6.7-670-201908210 (including) | 6.7-670-201908210 (including) |
| Esxi | Vmware | 6.7-670-201908211 (including) | 6.7-670-201908211 (including) |
| Esxi | Vmware | 6.7-670-201908212 (including) | 6.7-670-201908212 (including) |
| Esxi | Vmware | 6.7-670-201908213 (including) | 6.7-670-201908213 (including) |
| Esxi | Vmware | 6.7-670-201908214 (including) | 6.7-670-201908214 (including) |
| Esxi | Vmware | 6.7-670-201908215 (including) | 6.7-670-201908215 (including) |
| Esxi | Vmware | 6.7-670-201908216 (including) | 6.7-670-201908216 (including) |
| Esxi | Vmware | 6.7-670-201908217 (including) | 6.7-670-201908217 (including) |
| Esxi | Vmware | 6.7-670-201908218 (including) | 6.7-670-201908218 (including) |
| Esxi | Vmware | 6.7-670-201908219 (including) | 6.7-670-201908219 (including) |
| Esxi | Vmware | 6.7-670-201908220 (including) | 6.7-670-201908220 (including) |
| Esxi | Vmware | 6.7-670-201908221 (including) | 6.7-670-201908221 (including) |
| Esxi | Vmware | 6.7-670-201911001 (including) | 6.7-670-201911001 (including) |
| Esxi | Vmware | 6.7-670-201912001 (including) | 6.7-670-201912001 (including) |
| Esxi | Vmware | 6.7-670-201912101 (including) | 6.7-670-201912101 (including) |
| Esxi | Vmware | 6.7-670-201912102 (including) | 6.7-670-201912102 (including) |
| Esxi | Vmware | 6.7-670-201912401 (including) | 6.7-670-201912401 (including) |
| Esxi | Vmware | 6.7-670-201912402 (including) | 6.7-670-201912402 (including) |
| Esxi | Vmware | 6.7-670-201912403 (including) | 6.7-670-201912403 (including) |
| Esxi | Vmware | 6.7-670-201912404 (including) | 6.7-670-201912404 (including) |
| Esxi | Vmware | 6.7-670-201912405 (including) | 6.7-670-201912405 (including) |
| Esxi | Vmware | 6.7-670-202004001 (including) | 6.7-670-202004001 (including) |
| Esxi | Vmware | 6.7-670-202004002 (including) | 6.7-670-202004002 (including) |
| Esxi | Vmware | 6.7-670-202004301 (including) | 6.7-670-202004301 (including) |
| Esxi | Vmware | 6.7-670-202004401 (including) | 6.7-670-202004401 (including) |
| Esxi | Vmware | 6.7-670-202004402 (including) | 6.7-670-202004402 (including) |
| Esxi | Vmware | 6.7-670-202004403 (including) | 6.7-670-202004403 (including) |
| Esxi | Vmware | 6.7-670-202004404 (including) | 6.7-670-202004404 (including) |
| Esxi | Vmware | 6.7-670-202004405 (including) | 6.7-670-202004405 (including) |
| Esxi | Vmware | 6.7-670-202004406 (including) | 6.7-670-202004406 (including) |
| Esxi | Vmware | 6.7-670-202004407 (including) | 6.7-670-202004407 (including) |
| Esxi | Vmware | 6.7-670-202004408 (including) | 6.7-670-202004408 (including) |
| Esxi | Vmware | 6.7-670-202006001 (including) | 6.7-670-202006001 (including) |
| Esxi | Vmware | 6.7-670-202008001 (including) | 6.7-670-202008001 (including) |
| Esxi | Vmware | 6.7-670-202010001 (including) | 6.7-670-202010001 (including) |
| Esxi | Vmware | 6.7-670-202011001 (including) | 6.7-670-202011001 (including) |
| Esxi | Vmware | 6.7-670-202011002 (including) | 6.7-670-202011002 (including) |
| Esxi | Vmware | 6.7-670-202102001 (including) | 6.7-670-202102001 (including) |
| Esxi | Vmware | 6.7-670-202103001 (including) | 6.7-670-202103001 (including) |
| Esxi | Vmware | 6.7-670-202111101 (including) | 6.7-670-202111101 (including) |
| Esxi | Vmware | 7.0 (including) | 7.0 (including) |
| Esxi | Vmware | 7.0-update_1 (including) | 7.0-update_1 (including) |
| Esxi | Vmware | 7.0-update_2 (including) | 7.0-update_2 (including) |
| Esxi | Vmware | 7.0-update_3 (including) | 7.0-update_3 (including) |
The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:
In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.