CVE-2021-22040: 
NixOS vulnerability analysis and mitigation

CVE-2021-22040 is a use-after-free vulnerability discovered in the XHCI USB controller affecting VMware ESXi, Workstation, and Fusion products. The vulnerability was reported by Wei of Kunlun Lab during the 2021 Tianfu Cup Pwn Contest and was publicly disclosed on February 15, 2022. The vulnerability received a CVSS v3.1 base score of 8.4 (Important severity) (VMware Advisory).

The vulnerability is classified as a use-after-free (CWE-416) issue specifically affecting the XHCI USB controller implementation in VMware's virtualization products. It has been assigned a CVSS v3.1 base score of 8.4 with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability (NVD).

If successfully exploited, this vulnerability allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. This could lead to a complete compromise of the affected host system's confidentiality, integrity, and availability (VMware Advisory).

VMware has released patches for affected products: ESXi70U3c-19193900 for ESXi 7.0 U3, ESXi70U2e-19290878 for ESXi 7.0 U2, ESXi70U1e-19324898 for ESXi 7.0 U1, ESXi670-202111101-SG for ESXi 6.7, ESXi650-202202401-SG for ESXi 6.5, Fusion 12.2.1, and Workstation 16.2.1. VMware strongly recommends applying these patches to remediate the vulnerability (VMware Advisory).