CVE-2024-22268: 
NixOS vulnerability analysis and mitigation

VMware Workstation and Fusion contain a heap buffer-overflow vulnerability (CVE-2024-22268) in the Shader functionality, discovered and disclosed on May 14, 2024. This vulnerability affects VMware Workstation 17.x running on Windows and VMware Fusion 13.x running on OS X (VMware Advisory).

The vulnerability is a heap buffer-overflow issue present in the Shader functionality of VMware's virtualization products. It has been assigned a CVSS v3.1 base score of 7.1 (Important) by VMware, with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The specific flaw exists within the SVGA virtual device and results from inadequate validation of user-supplied data length before copying it to a heap-based buffer (Zero Day Initiative).

The exploitation of this vulnerability can lead to a denial of service condition in the affected systems. The vulnerability specifically impacts systems where 3D graphics are enabled on the virtual machine (VMware Advisory).

VMware has released patches to address this vulnerability. Users should update to VMware Workstation version 17.5.2 for Windows systems and VMware Fusion version 13.5.2 for OS X systems. Additional workarounds are documented in KB59146 (VMware Advisory).

VMware has acknowledged the contribution of Pwn2car working with Trend Micro Zero Day Initiative for reporting this vulnerability (VMware Advisory).