BROADCOM has released a security update for VMware Fusion to fix a high-severity flaw, tracked as CVE-2026-41702, which could allow local attackers to escalate privileges to root on affected systems. The vulnerability is a time-of-check time-of-use (TOCTOU) issue affecting operations performed by a SETUID binary and was privately reported to Broadcom, according to the advisory.
Broadcom notes that an attacker with local non-administrative user privileges can exploit the bug to gain root access on the host where Fusion is installed. Successful exploitation could give attackers full control of vulnerable machines, increasing risk from compromised user accounts or insider threats.
VMware Fusion remains widely used by developers and IT professionals on macOS, and the patch arrives amid Broadcom’s participation in the Pwn2Own hacking competition in Berlin, where VMware targets have historically drawn high payouts. Users running VMware Fusion are advised to apply the latest updates promptly to reduce the risk of privilege escalation. May 14, 2026.