CVE-2024-22251 Out-of-bounds read vulnerability

2024-02-2717:35:31

vmware

github.com

vmware fusion

usb ccid

out-of-bounds read

information disclosure

virtual machine

CVSS3

5.9

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

6.3

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

VMware Workstation and Fusion contain an out-of-bounds read vulnerability in the USB CCID (chip card interface device). A malicious actor with local administrative privileges on a virtual machine may trigger an out-of-bounds read leading to information disclosure.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows",
      "Linux"
    ],
    "product": "VMware Workstation",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "17.5.1",
        "status": "affected",
        "version": "17.x",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "MacOS"
    ],
    "product": "VMware Fusion",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "13.5.1",
        "status": "affected",
        "version": "13.x",
        "versionType": "custom"
      }
    ]
  }
]