BROADCOM announced that a VMware Fusion update has been released to patch a high-severity vulnerability, tracked as CVE-2026-41702 and rated important by the vendor. The advisory describes CVE-2026-41702 as a time-of-check time-of-use flaw that occurs during an operation performed by a SETUID binary, and notes that a malicious actor with local non-administrative user privileges may escalate privileges to root on the system where Fusion is installed.
The vulnerability was reported by Mathieu Farrell, and the patch arrives as Broadcom attends the Pwn2Own hacking competition in Berlin this week. SecurityWeek reports that vulnerabilities in VMware products are often exploited in the wild, and that CISA’s KEV catalog currently includes 26 VMware flaws. According to Broadcom, VMware may issue further patches in the coming days as attention at Pwn2Own intensifies.