VMware Fusion Vulnerability Let Attackers Escalate Privilege to Root

A high-severity privilege escalation vulnerability has been identified in VMware Fusion, Broadcom’s popular macOS virtualization software. This flaw enables local attackers to gain root-level access on affected systems.

Tracked as CVE-2026-41702, the flaw was privately reported to Broadcom and patched on May 14, 2026, under security advisory VMSA-2026-0003.

The vulnerability stems from a TOCTOU (Time-of-Check Time-of-Use) race condition that occurs during an operation performed by a SETUID binary within VMware Fusion.

VMware Fusion TOCTOU Vulnerability

TOCTOU flaws exploit the gap between when a program checks a resource’s state and when it actually uses it, and an attacker can manipulate that window to inject malicious changes and hijack elevated operations.

Any user running VMware Fusion version 25H2 on macOS is affected. The attack requires only local, non-administrative user privileges, no admin rights, and no remote access needed.

A malicious actor already present on the machine, such as a low-privileged insider or a process running under a standard user account, could exploit this flaw to escalate privileges to root.

In shared macOS environments, development workstations, or enterprise endpoints running Fusion, even a limited foothold could translate into complete system compromise.

Broadcom confirmed that no workarounds exist for CVE-2026-41702. The only remediation is to apply the available patch.

Users on VMware Fusion 25H2 must upgrade to version 26H1, where the fix has been applied. Broadcom credited Mathieu Farrell (@coiffeur0x90) for responsibly disclosing the vulnerability through private reporting.

Patch Immediately

Given the absence of mitigating controls, organizations and individual users relying on VMware Fusion should treat this as a priority update.

SETUID-related TOCTOU vulnerabilities are well-documented attack paths that threat actors and red teamers actively exploit for local privilege escalation.

Security teams should audit systems running VMware Fusion and push the 26H1 update across all affected endpoints without delay.

With no workaround available, delayed patching leaves a direct root escalation path open on every unpatched macOS host.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.