VMware Fusion Flaw Lets Local Attackers Escalate Privileges to Root on macOS

Broadcom has patched a high-severity VMware Fusion vulnerability that could let a local attacker gain root privileges on a macOS system running the affected virtualization software.

The flaw is tracked as CVE-2026-41702 and affects VMware Fusion 25H2. Broadcom fixed the issue in VMware Fusion 26H1, which was released on May 14, 2026.

The bug does not allow remote exploitation by itself. An attacker first needs local non-administrative access to the Mac where VMware Fusion is installed, but successful exploitation could turn that limited access into root-level control.

What CVE-2026-41702 affects

CVE-2026-41702 is a time-of-check time-of-use vulnerability, also known as TOCTOU. Broadcom says the flaw occurs during an operation performed by a SETUID binary in VMware Fusion.

SETUID binaries are sensitive because they can run with higher privileges than the user who launches them. If a race condition exists in that flow, an attacker may be able to change a file, path, or state after the program checks it but before it uses it.

That timing gap can create a privilege escalation path. In this case, Broadcom says a malicious local user with non-administrative privileges may exploit the flaw to escalate privileges to root on the system where Fusion is installed.

Vulnerability detail	Information
CVE ID	CVE-2026-41702
Affected product	VMware Fusion
Affected version	25H2
Fixed version	26H1
Vulnerability type	TOCTOU race condition in a SETUID binary operation
Vendor severity	Important
CVSS v3.1 score	7.8 High
Workaround	None

Why the VMware Fusion flaw matters

Local privilege escalation bugs matter because attackers often use them after gaining an initial foothold. A phishing payload, stolen user account, malicious script, or insider threat may start with limited permissions.

If VMware Fusion is installed and vulnerable, CVE-2026-41702 could help that attacker move from a standard account to root. Root access gives broad control over the host system, including files, security tools, processes, and local configuration.

This risk matters most for developers, security researchers, IT teams, and enterprise users who run virtual machines on Macs. These systems often contain source code, credentials, test environments, and access to internal infrastructure.

Broadcom says no workaround is available

Broadcom’s advisory lists no workaround for CVE-2026-41702. That means users cannot rely on a temporary configuration change to fully remove the risk.

The recommended remediation is to update VMware Fusion to version 26H1. Administrators should treat this as a priority update for Macs that run Fusion 25H2, especially in shared, managed, or developer-heavy environments.

Broadcom credited security researcher Mathieu Farrell, also known as @coiffeur0x90, for privately reporting the vulnerability.

• Check whether VMware Fusion 25H2 is installed.
• Upgrade affected Macs to VMware Fusion 26H1.
• Prioritize developer workstations and shared macOS systems.
• Review local user accounts for unexpected access.
• Monitor systems for unusual privilege escalation attempts.

VMware Fusion 26H1 includes the fix

VMware Fusion 26H1 is the fixed release for this vulnerability. Broadcom’s release notes state that the update resolves CVE-2026-41702.

The broader 26H1 release also includes other product updates for VMware Workstation and Fusion, including management improvements and expanded support for newer guest operating systems.

Users should download Fusion updates only through Broadcom’s official support portal or trusted enterprise software management systems. Organizations should avoid relying on old installers stored in internal mirrors unless those mirrors have already been updated.

How administrators should respond

Security teams should start by identifying all Macs with VMware Fusion installed. Software inventory tools, MDM systems, endpoint management platforms, and local checks can help locate exposed systems.

After patching, teams should confirm the installed version and document the update status. This matters in larger environments where some Macs may miss updates because they are offline, unmanaged, or used by contractors.

Administrators should also review whether standard users have unnecessary local access on machines that run virtualization tools. CVE-2026-41702 requires local access, so reducing unnecessary user accounts can lower exposure.

Admin task	Why it helps
Inventory VMware Fusion installs	Find every Mac that may run the vulnerable version.
Update to 26H1	Applies Broadcom’s fix for CVE-2026-41702.
Verify installed versions	Confirms that patch deployment succeeded.
Review local user accounts	Reduces the number of accounts that could attempt local exploitation.
Monitor endpoint activity	Helps detect suspicious local privilege escalation behavior.

Why local bugs can still become serious

Some organizations may treat local-only vulnerabilities as lower priority because they do not allow direct remote compromise. That can be risky when attackers already have another way into the system.

Privilege escalation flaws often become one step in a larger attack chain. An attacker may first compromise a user account, run code with limited permissions, then exploit a local bug to disable security controls or access protected files.

For VMware Fusion users, the safest response is simple. Update to 26H1, verify the upgrade, and continue watching for suspicious activity on systems that previously ran Fusion 25H2.

FAQ