CVE-2026-41702 VMware CVE debrief

Who should care

Organizations running VMware Fusion on macOS endpoints, particularly multi-user environments or systems where non-administrative users have local access. Security teams managing virtualized development environments and macOS endpoint security programs.

Technical summary

CVE-2026-41702 is a TOCTOU (CWE-367) vulnerability in VMware Fusion affecting versions prior to 26h1. The vulnerability resides in a SETUID binary operation where an attacker can win a race condition between state verification and resource use. Successful exploitation allows a local non-privileged user to escalate to root privileges on the host system. The attack requires local access but no user interaction, with low complexity. The fix version 26h1 addresses the race condition in the affected SETUID binary.

Defensive priority

HIGH

Recommended defensive actions

• Apply VMware Fusion 26h1 or later to remediate the TOCTOU vulnerability
• Restrict local access to systems running VMware Fusion to trusted users only
• Monitor for anomalous SETUID binary execution patterns on macOS hosts running Fusion
• Review Broadcom security advisory for additional vendor-specific mitigation guidance

Evidence notes

CVE published 2026-05-15; modified 2026-05-18. Vendor advisory confirms TOCTOU condition in SETUID binary. CWE-367 (Time-of-check Time-of-use race condition) identified. Affected versions: VMware Fusion prior to 26h1.

Official resources