CVE-2025-22226

CVSS 7.1 HIGHEPSS 1.7%● KEVCWE-125

In short

VMware virtualization products have a flaw where a VM administrator can read memory from the VMware process by exploiting a reading error in the file-sharing feature, potentially exposing sensitive data.

Technical detail

An out-of-bounds read vulnerability in HGFS (Host-Guest File System) allows an authenticated attacker with VM administrative privileges to leak arbitrary memory from the vmx process. The vulnerability requires local access to the virtual machine and could expose sensitive information stored in the hypervisor's memory.

Summary generated and translated by AI from the official description.

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected products

n/a · ESXi n/a · VMware Cloud Foundation n/a · VMware Fusion n/a · VMware Telco Cloud Infrastructure n/a · VMware Telco Cloud Platform n/a · VMware Workstation

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22226