CVE-2021-21988: 
VMware Workstation Player vulnerability analysis and mitigation

CVE-2021-21988 is an out-of-bounds read vulnerability discovered in VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2), specifically affecting the Cortado ThinPrint component's JPEG2000 Parser. The vulnerability was disclosed on May 24, 2021, and was reported by an anonymous researcher working with Trend Micro's Zero Day Initiative (VMware Advisory, ZDI Advisory).

The vulnerability exists within the ThinPrint component, specifically in the JPEG2000 Parser. When parsing JPEG2000 codestreams embedded in EMF files, the process does not properly validate user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (NVD).

If exploited, this vulnerability could allow an attacker to disclose sensitive information from the TPView process running on the system where Workstation or Horizon Client for Windows is installed. The impact is limited to information disclosure with no integrity or availability impacts (VMware Advisory).

VMware has released patches to address this vulnerability. Users should upgrade VMware Workstation to version 16.1.2 and Horizon Client for Windows to version 5.5.2. No workarounds are available for this vulnerability, making patching the only effective mitigation strategy (VMware Advisory).