CVE-2024-22252: 
NixOS vulnerability analysis and mitigation

CVE-2024-22252 is a use-after-free vulnerability discovered in the XHCI USB controller affecting VMware ESXi, Workstation, and Fusion products. The vulnerability was disclosed on March 5, 2024, and was initially reported by researchers during the 2023 Tianfu Cup Pwn Contest (VMware Advisory).

The vulnerability is classified as critical with a CVSSv3 base score of 9.3 for Workstation/Fusion and 8.4 for ESXi. It specifically affects the XHCI USB controller implementation in these products. The vulnerability has been categorized as CWE-416 (Use After Free) and requires local access to exploit (NVD).

The impact varies depending on the affected product. On VMware ESXi, the exploitation is contained within the VMX sandbox, limiting the potential damage. However, on Workstation and Fusion, successful exploitation could lead to code execution on the host machine where these applications are installed (VMware Advisory).

VMware has released patches for affected products: ESXi 7.0 (ESXi70U3p-23307199), ESXi 8.0 (ESXi80U2sb-23305545), Workstation 17.x (version 17.5.1), and Fusion 13.x (version 13.5.1). Due to the severity, patches are also available for end-of-life products including ESXi 6.7 (6.7U3u) and 6.5 (6.5U3v). A temporary workaround involves removing USB controllers from the VM, though this may affect virtual console functionality (VMware Advisory).