CVE-2021-22045: VMware Workstation, Fusion and ESXi heap-overflow vulnerability
VMware has released emergency updates for VMware Workstation, Fusion, and ESXi to fix a heap-overflow security vulnerability. The security vulnerability number is CVE-2021-22045, and the CVSS score is 7.7. An attacker who successfully exploited this vulnerability could execute arbitrary code. The vulnerability was discovered by Jaanus Kääp, a security researcher at Clarified Security, and reported to VMware for a fix.
A malicious actor with access to a virtual machine emulated by a CD-ROM device may be able to execute arbitrary code from a virtual machine in combination with other vulnerabilities, VMware said in a security advisory. The vulnerability affects ESXi versions 6.5/6.7/7.0, VMware Workstation version 16.x, Fusion version 12.x.
No security updates have been released for ESXi at this time, so VMware recommends that enterprises and teams using ESXi temporarily disable the CD-ROM/DVD devices of all running virtual machines to prevent potential attacks.