CVE-2023-34046 MEDIUM

CVE-2023-34046: VMware Fusion TOCTOU local privilege escalation vulnerability

Vendor Vmware
Product Fusion
Published October 20, 2023
Last update March 7, 2025

CVSS base score

6.7/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

VMware Fusion(13.x prior to 13.5) contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.

Key dates

02Disclosure timeline

October 20, 2023 CVE published
March 7, 2025 Record updated