74 matches found
CVE-2019-17148
CVE-2019-17148 describes a local privilege escalation in Parallels Desktop (v14.1.3, build 45485). The flaw is in the Parallels Service and results from improper validation of a user-supplied string before it is used to perform a system call, enabling an attacker with low-privilege code execution...
CVE-2021-34987
This CVE (CVE-2021-34987) concerns Parallels Desktop 16.5.1 (49187) where the HDAudio virtual device contains a buffer overflow due to improper validation of user-supplied data length before copying to a fixed-length buffer. The vulnerability enables local privilege escalation and arbitrary code ...
CVE-2021-27278
CVE-2021-27278 concerns Parallels Desktop (v16.1.1-49141) affecting the Toolgate component. The vulnerability arises from improper validation of a user-supplied path used in file operations, enabling local attackers who have the ability to run high-privileged code on a guest to escalate privilege...
CVE-2021-34986
Parallels Desktop 16.5.0 (49183) contains a local privilege escalation in the Parallels Service. By creating a symbolic link, an attacker who can run low-privileged code can abuse the service to execute a file, escalating to root and executing arbitrary code. This has been disclosed as ZDI-22-385...
CVE-2024-6154
CVE-2024-6154 affects Parallels Desktop Toolgate, where a heap-based buffer overflow in the Toolgate component is caused by inadequate validation of the length of user-supplied data before copying to a fixed-size heap buffer. This allows local attackers who can run high-privileged code on the gue...
CVE-2023-27322
CVE-2023-27322 affects Parallels Desktop Service, with a local privilege escalation caused by improper initialization of environment variables in the Parallels Service. The vulnerability enables a local attacker who already has low-privilege code execution access to escalate to root and execute a...
CVE-2023-50226
Parallels Desktop Updater contains a local privilege escalation via the Updater service. The flaw arises from creating a symbolic link to move arbitrary files, allowing an attacker who already has low-privilege code execution to escalate to root and execute arbitrary code. Several sources corrobo...
CVE-2024-6240
CVE-2024-6240 concerns an improper privilege management vulnerability in Parallels Desktop Software prior to version 19.3.0. An attacker could place malicious code in a script and populate the BASH_ENV variable with the path to that script, causing it to execute on application startup and potenti...
CVE-2023-27326
CVE-2023-27326 is a local privilege escalation in Parallels Desktop where the Toolgate component fails to validate a user-supplied path, enabling directory traversal and arbitrary code execution as the current host user. Exploitation requires prior high-privilege code execution on the guest syste...
CVE-2023-50227
CVE-2023-50227 describes a vulnerability in Parallels Desktop affecting the virtio-gpu virtual device. The issue is an out-of-bounds write caused by improper validation of user-supplied data, enabling a remote attacker to execute code in the hypervisor. Exploitation requires user interaction (the...
CVE-2024-54189
Summary: CVE-2024-54189 is a local privilege-escalation vulnerability in Parallels Desktop for Mac 20.1.1 (build 55740). During VM snapshot creation, the root-level prl_disp_service writes metadata to a snapshot.xml file in a VM directory owned by a normal user. An attacker can replace that file ...
CVE-2023-27327
CVE-2023-27327 concerns Parallels Desktop Toolgate, a local privilege escalation. The flaw arises from missing locking when operating on an object within Toolgate, enabling a local attacker who can run high-privileged code on the guest to escalate privileges and execute code in the host context. ...
CVE-2023-27324
CVE-2023-27324 affects Parallels Desktop Updater on macOS. The Updater service suffers from improper initialization of environment variables, enabling a local attacker to escalate privileges to root by executing low-privileged code on the target host. Documents consistently identify the impact as...
CVE-2020-17395
Parallels Desktop contains a local privilege-escalation flaw in the prl_naptd process due to an improper validation of user-supplied data, causing an integer underflow before memory write. This can allow an attacker with the ability to run high-privilege code on a guest to escalate privileges and...
CVE-2024-6153
CVE-2024-6153 affects Parallels Desktop Updater. The flaw is in the Updater service where version information is not properly validated before performing updates. This enables local attackers who can run low-privilege code to cause a downgrade and, potentially in conjunction with other vulnerabil...
CVE-2023-27328
Parallels Desktop Toolgate XML Injection Local Privilege Escalation: Affected component is Toolgate within Parallels Desktop. Root cause is improper validation of a user-supplied string used to construct an XML document, enabling a local attacker to escalate privileges and execute arbitrary code ...
CVE-2007-2455
Technical details about CVE-2007-2455 are not publicly available in the provided connected documents; no affected products, root cause, impact, or remediation are specified. Monitor for updates in future reports.
CVE-2022-34889
CVE-2022-34889 affects Parallels Desktop 17.1.1 (51537). The vulnerability is in the ACPI virtual device and arises from insufficient validation of user-supplied data, causing a read past the end of an allocated buffer. This enables local attackers who can run high-privilege code on the target gu...
CVE-2024-52561
Summary: CVE-2024-52561 is a privilege-escalation vulnerability in Parallels Desktop for Mac 20.1.1 (build 55740). During snapshot deletion, the root service (prl_disp_service) verifies and may change ownership of files under the Snapshot directory. Attackers can exploit a symlink to replace the ...
CVE-2021-27243
This entry concerns CVE-2021-27243 affecting Parallels Desktop (Toolgate). The impact is local privilege escalation via an integer overflow in Toolgate caused by insufficient validation of user-supplied data, which can lead to buffer overflow and arbitrary code execution in the hypervisor context...
CVE-2021-27244
Parallels Desktop 16.0.1-48919 contains a local, information-disclosure vulnerability in the Toolgate component. The flaw arises from improper validation of user-supplied data, leading to a read past the end of an allocated buffer. An attacker who can execute low-privileged code on the guest OS c...
CVE-2022-34891
CVE-2022-34891 affects Parallels Desktop 17.1.1. The flaw is in the updater mechanism where permissions on sensitive files are set incorrectly, enabling a local, low-privilege attacker to escalate to root and execute arbitrary code. Exploitation details or active exploitation are not provided in ...
CVE-2023-50228
Parallels Desktop Updater contains an in-the-wild vulnerability: improper verification of a cryptographic signature in the Updater service allows a local attacker who can run low-privileged code to escalate to root. Affected: Parallels Desktop Updater. Root cause: signature verification bypass. I...
CVE-2025-31359
Cisco TALOS reports TALOS-2025-2160 (CVE-2025-31359) as a directory-traversal vulnerability in Parallels Desktop for Mac 20.2.2 (55879) affecting the PVMP unpacking process via prl_packer_inplace. The flaw allows a directory traversal payload to cause writes to arbitrary files, potentially enabli...
CVE-2020-17399
CVE-2020-17399 affects Parallels Desktop (15.1.4) with the prl_hypervisor kext. The flaw arises from insufficient validation of user-supplied data, causing a write past the end of an allocated buffer and enabling local privilege escalation to kernel context. Several connected sources corroborate ...
CVE-2020-17397
CVE-2020-17397 affects Parallels Desktop (notably 15.1.4) where a memory corruption triggered by improper validation of data in network packet handling allows local privilege escalation to the hypervisor context. Exploitation requires high-privilege code execution on the target guest; no public e...
CVE-2021-31432
The CVE-2021-31432 issue affects Parallels Desktop 15.1.5-47309 and is tied to the IDE virtual device. The root cause is improper validation of user-supplied data that leads to an out-of-bounds read (read past the end of an allocated buffer). This information disclosure vulnerability requires a l...
CVE-2020-17398
CVE-2020-17398 affects Parallels Desktop (notably 15.1.4) through the prl_hypervisor kernel extension. The issue is an out-of-bounds read caused by insufficient validation of user-supplied data, enabling local attackers who can run low-privilege code to disclose information and, in combination wi...
CVE-2020-17402
CVE-2020-17402 affects Parallels Desktop 15.1.4 (47270) via a flaw in the prl_hypervisor kext. The weakness allows a local, low-privilege attacker who can run code on the target to disclose a memory address by inspecting a log file, which could be used with other vulnerabilities to escalate to ke...
CVE-2020-17393
The CVE-2020-17393 issue affects Parallels Desktop (15.1.3-47255) through the prl_hypervisor kext. A lack of proper validation of user-supplied data can leak a kernel pointer after the handler completes, enabling local information disclosure. While the advisory notes this could be leveraged along...
CVE-2020-17400
The CVE-2020-17400 entry concerns Parallels Desktop (vulnerable through the prl_hypervisor kext). A local attacker who can run low-privilege code can exploit an input-validation flaw that leads to a read past the end of an allocated buffer, enabling privilege escalation and code execution in the ...
CVE-2021-34855
CVE-2021-34855 affects Parallels Desktop 16.1.3 (49160) and involves the Toolgate component. The issue arises from uninitialized memory access in Toolgate, allowing a local attacker who can run low-privileged code on the guest to disclose sensitive information. The vulnerability can be leveraged ...
CVE-2020-17394
CVE-2020-17394 affects Parallels Desktop (OEMNet) and stems from insufficient validation of user-supplied data, causing an out-of-bounds read in a local context. Exploitation requires high-privilege code on the guest; successful exploitation could disclose memory-resident data and, as described i...
CVE-2021-31422
CVE-2021-31422 affects Parallels Desktop 16.1.1-49141. The vulnerability is in the e1000e virtual device, caused by a lack of proper locking when performing operations on an object, enabling a local attacker who already has high-privilege code execution in the guest to escalate privileges and exe...
CVE-2020-17396
CVE-2020-17396 affects Parallels Desktop (notably 15.1.4) via the prl_hypervisor module. The issue is an integer overflow caused by insufficient validation of user-supplied data, leading to a buffer allocation error and the possibility for a local attacker to escalate privileges and execute code ...
CVE-2022-34890
CVE-2022-34890 affects Parallels Desktop 17.1.1 (51537) with the flaw in Parallels Tools. The issue arises from improper validation of a user-supplied value dereferenced as a pointer, enabling a local attacker with low privileges on the guest to disclose sensitive information and, in conjunction ...
CVE-2022-34892
CVE-2022-34892 affects Parallels Desktop 17.1.1 on macOS. A race-condition in the updater mechanism (due to lack of proper locking when operating on an object) can be exploited by a local attacker who already has low-privilege code execution to escalate to root and execute arbitrary code. The iss...
CVE-2023-27325
The CVE-2023-27325 issue affects Parallels Desktop and specifically the Updater service. The root cause is improper initialization of environment variables, which allows a local attacker with low-privilege code execution to escalate to root privileges and run arbitrary code. Public documentation ...
CVE-2020-17390
CVE-2020-17390 affects Parallels Desktop on macOS, specifically versions around 15.1.2-47123, with a vulnerability in the hypervisor kernel extension. The issue stems from improper validation of user-supplied data, causing an out-of-bounds read that can escalate privileges to the hypervisor conte...
CVE-2020-17391
The CVE-2020-17391 entries describe a local information-disclosure flaw in Parallels Desktop’s prl_hypervisor kext, specifically in the HOST_IOCTL_INIT_HYPERVISOR handler. The vulnerability arises from exposing a dangerous method to unprivileged users, enabling a local attacker to disclose kernel...
CVE-2020-17401
CVE-2020-17401 affects Parallels Desktop 15.1.4, with the vulnerability located in the VGA virtual device. The issue is an out-of-bounds read caused by improper validation of user-supplied data, allowing local attackers who can execute high-privilege code on the guest to read past the end of an a...
CVE-2020-8871
The CVE-2020-8871 entry describes a local privilege-escalation flaw in Parallels Desktop 15.1.0-47107 caused by improper validation in the VGA virtual device, leading to a write past the end of an allocated buffer. An attacker must first gain the ability to execute high-privileged code on the tar...
CVE-2021-31420
CVE-2021-31420 is a stack-based buffer overflow in Parallels Desktop 16.1.0-48950, within the Toolgate component. The issue results from insufficient validation of the length of user-supplied data before copying to a fixed-length stack buffer. This permits local attackers who can run low-privileg...
CVE-2023-27323
CVE-2023-27323 concerns Parallels Desktop Updater on macOS, where a Time-Of-Check Time-Of-Use flaw in the Updater service can be triggered by creating a symbolic link to abuse the service and execute a file, leading to local privilege escalation to root. Affected software is Parallels Desktop (Up...
CVE-2021-31417
Parallels Desktop 15.1.4-47270 is affected by CVE-2021-31417 in the Toolgate component. The issue stems from uninitialized memory access, enabling a local attacker who can run low-privilege code on the target guest to disclose sensitive information. The vulnerability can be leveraged with other f...
CVE-2021-31428
CVE-2021-31428 affects Parallels Desktop 15.1.5-47309, with the vulnerability located in the IDE virtual device. The issue is a heap-based buffer overflow caused by improper validation of the length of user-supplied data before copying to a fixed-length heap buffer, enabling local privilege escal...
CVE-2021-34864
Parallels Desktop 16.1.3 is affected by a local privilege-escalation in the WinAppHelper component due to improper access control. An attacker with low-privileged code execution in the guest can escalate to the hypervisor context and execute arbitrary code. Root cause: lack of proper access contr...
CVE-2021-34854
CVE-2021-34854 affects Parallels Desktop 16.1.3 (49160) via the Toolgate component. The flaw arises from improper validation of user-supplied data, causing uncontrolled memory allocation and enabling a local attacker who can run low-privilege code on the guest to escalate privileges and execute a...
CVE-2007-2454
CVE-2007-2454 describes a heap-based buffer overflow in the VGA device used by Parallels. The flaw allows local users with root access inside the guest to terminate the virtual machine and potentially execute arbitrary code on the host via vectors related to bitblt operations. Documents do not pr...
CVE-2021-27260
CVE-2021-27260 affects Parallels Desktop 16.0.1-48919. The vulnerability is in the Toolgate component and arises from insufficient validation of user-supplied data, leading to a read past the end of an allocated buffer. This enables local attackers who can execute high-privilege code on the targe...