CVE-2025-41238: 
VMware Workstation vulnerability analysis and mitigation

CVE-2025-41238 is a critical heap-overflow vulnerability discovered in VMware ESXi, Workstation, and Fusion's PVSCSI (Paravirtualized SCSI) controller. The vulnerability was reported on July 15, 2025, by Thomas Bouzerar and Etienne Helluy-Lafont of Synacktiv through the Pwn2Own competition. This vulnerability affects multiple VMware products including VMware Cloud Foundation, VMware Fusion, VMware Telco Cloud Infrastructure, VMware Telco Cloud Platform, VMware vSphere ESXi, and VMware Workstation (Broadcom Advisory).

The vulnerability is characterized as a heap-overflow in the PVSCSI controller that leads to an out-of-bounds write. It has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The vulnerability is classified under CWE-787 (Out-of-bounds Write) (NVD).

The vulnerability allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. On ESXi systems, the exploitation is contained within the VMX sandbox and is only exploitable with unsupported configurations. However, on Workstation and Fusion installations, successful exploitation can lead to code execution on the host machine where these applications are installed (Security Online).

Broadcom has released patches to address this vulnerability across affected products. The fixed versions include ESXi80U3f-24784735 for VMware ESXi 8.0, ESXi70U3w-24784741 for VMware ESXi 7.0, Workstation version 17.6.4, and Fusion version 13.6.4. No workarounds are available, making patch installation the only remediation option (Broadcom Advisory).