CVE-2022-31705: 
NixOS vulnerability analysis and mitigation

A heap out-of-bounds write vulnerability was discovered in VMware ESXi, Workstation, and Fusion's USB 2.0 controller (EHCI), identified as CVE-2022-31705. The vulnerability was privately reported to VMware and publicly disclosed on December 13, 2022. The affected products include VMware ESXi 7.0 and 8.0, Fusion 12.x, Workstation 16.x, and VMware Cloud Foundation (ESXi) versions 4.x/3.x (VMware Advisory).

The vulnerability is classified as a heap out-of-bounds write issue in the USB 2.0 controller (EHCI) component. VMware assigned this vulnerability a Critical severity rating with varying CVSS scores: 9.3 for Workstation and Fusion, and 5.9 for ESXi. The vulnerability was discovered by Yuhao Jiang and reported through the GeekPwn 2022 event (VMware Advisory, Security Online).

The vulnerability's impact varies depending on the affected product. On ESXi, the exploitation is contained within the VMX sandbox. However, on Workstation and Fusion, successful exploitation could lead to code execution on the host machine where the software is installed. The attacker could execute code as the virtual machine's VMX process running on the host (VMware Advisory).

VMware released patches to address this vulnerability: ESXi80a-20842819 for ESXi 8.0, ESXi70U3si-20841705 for ESXi 7.0, Workstation 16.2.5, and Fusion 12.2.5. Users are strongly advised to apply these updates. Specific workarounds are documented in KB87617 for ESXi and KB79712 for Workstation and Fusion (VMware Advisory).