CVE-2020-3968

Name of the Vulnerable Software and Affected Versions VMware ESXi versions 7.0 before ESXi 7.0.0-1.20.16321839 VMware ESXi versions 6.7 before ESXi670-202004101-SG VMware ESXi versions 6.5 before ESXi650-202005401-SG VMware Workstation versions 15.x before 15.5.5 VMware Fusion versions 11.x before 11.5.5

Description The issue is related to an out-of-bounds write vulnerability in the USB 3.0 controller (xHCI) of VMware products. A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to crash the virtual machine's vmx process, leading to a denial of service condition, or execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.

Recommendations For VMware ESXi versions 7.0 before ESXi 7.0.0-1.20.16321839, update to a version that includes the fix. For VMware ESXi versions 6.7 before ESXi670-202004101-SG, update to a version that includes the fix. For VMware ESXi versions 6.5 before ESXi650-202005401-SG, update to a version that includes the fix. For VMware Workstation versions 15.x before 15.5.5, update to version 15.5.5 or later. For VMware Fusion versions 11.x before 11.5.5, update to version 11.5.5 or later. As a temporary workaround, consider disabling the xHCI controller until a patch is available.