Skip to main content
Mallory
Back to vulnerabilities
High

Local privilege escalation in VMware Fusion SETUID binary

CVE-2026-41702CWE-367· Time-of-check Time-of-use (TOCTOU)…

CVE-2026-41702 is a local privilege escalation vulnerability in VMware Fusion on macOS. The flaw is described as a TOCTOU (time-of-check time-of-use) race condition occurring during an operation performed by a SETUID binary within VMware Fusion. An attacker with local access and only non-administrative user privileges can exploit the race condition to cause the privileged binary to operate on a resource whose state changes between validation and use, resulting in elevation of privileges to root. Reported affected versions are VMware Fusion 25H2 / versions prior to 26H1.

Share:
Stay ahead

Get ahead of vulnerabilities like this

Mallory continuously monitors global threat intelligence and correlates it with your attack surface — so you know if you’re exposed before adversaries strike.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. For analysts and engineers who need to decide and keep moving.

Impact

What an attacker gets — and what they’ve been doing with it.

Successful exploitation allows a local non-administrative user to escalate privileges to root on the affected macOS host. Root access can provide full control of the system, enabling arbitrary privileged actions such as modifying system configuration, accessing sensitive data, installing persistent components, tampering with security controls, and using the compromised host as a stronger foothold for further operations.

Mitigation

If you can’t patch tonight, do this now.

No workaround is available according to Broadcom. Until patched, risk reduction is limited to restricting local access to affected macOS systems, minimizing use of untrusted local accounts, monitoring for suspicious privilege-escalation activity, and prioritizing patch deployment on shared systems, developer workstations, and enterprise endpoints running VMware Fusion.

Remediation

Patch, then assume compromise.

Upgrade VMware Fusion to version 26H1 or later. Broadcom states that VMware Fusion versions prior to 26H1 are affected and that the issue is addressed by the security update published in advisory VMSA-2026-0003 on 2026-05-14. Applying the vendor patch is the required remediation.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView all

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BroadcomFusionapplication

Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.

27 SOURCESView all
cyber security newsNews
May 15, 2026
VMware Fusion Vulnerability Let Attackers Escalate Privilege to Root

A high-severity local privilege escalation vulnerability in VMware Fusion for macOS caused by a TOCTOU race condition in a SETUID binary, allowing a local non-administrative attacker to gain root access.

Read more
scworldNews
May 14, 2026
Broadcom patches high-severity VMware Fusion flaw allowing local privilege escalation | brief | SC Media

A local privilege escalation vulnerability in VMware Fusion caused by a TOCTOU flaw in operations performed by a SETUID binary, allowing a non-administrative local attacker to gain root access.

Read more
security affairsNews
May 14, 2026
Broadcom releases VMware Fusion security update for root access bug

A high-severity local privilege escalation vulnerability in VMware Fusion caused by a TOCTOU flaw in operations performed by a SETUID binary, allowing a local non-administrative user to gain root privileges.

Read more
ca ccsNews
May 14, 2026
Broadcom VMware security advisory (AV26-469) - Canadian Centre for Cyber Security

A privilege escalation vulnerability affecting VMware Fusion versions prior to 26H1.

Read more
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity22

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
NVD
nvd.nist.gov/vuln/detail/CVE-2026-41702
Vendor Advisory
support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37454