VMware Fusion TOCTOU Flaw CVE-2026-41702 Lets Local Users Escalate to

Executive Summary

Broadcom released an out-of-band security update for VMware Fusion on Thursday, May 14, 2026, addressing a high-severity time-of-check time-of-use (TOCTOU) vulnerability that allows local attackers with non-administrative privileges to escalate to root on the host macOS system. The flaw, tracked as CVE-2026-41702, was reported by researcher Mathieu Farrell and rated as 'important' by the vendor. The patch arrives as Broadcom attends the Pwn2Own hacking competition in Berlin this week, where ESX hypervisor exploits are expected to be demonstrated for prizes up to $200,000. No evidence of in-the-wild exploitation has been disclosed as of publication.

Technical Analysis

According to Broadcom's advisory, CVE-2026-41702 is a TOCTOU race condition that "occurs during an operation performed by a SETUID binary" within VMware Fusion. The vulnerability resides in the setuid-root helper binary that Fusion uses to perform privileged operations on behalf of unprivileged processes. A race window exists between the binary's check of a resource's state (e.g., file permissions or ownership) and its subsequent use of that resource. An attacker with local non-administrative user access on the macOS host can exploit this window to replace the legitimate resource with a malicious one, causing the SETUID binary to execute arbitrary code with root privileges.

The advisory does not specify the exact affected binary or the resource type subject to the race condition. However, TOCTOU vulnerabilities in setuid binaries are a well-understood class of privilege-escalation bugs, often involving temporary files, symbolic links, or shared memory objects. The attack vector requires the attacker to already have local user access to the system, meaning the flaw is most relevant in multi-user environments or scenarios where an attacker has already gained a foothold via other means (e.g., phishing, malware, or an unpatched application).

Broadcom's advisory does not include a CVSS score, but the vendor's 'important' rating aligns with typical TOCTOU privilege-escalation flaws. The vulnerability affects VMware Fusion on macOS; VMware Workstation, the Linux/Windows counterpart, was not mentioned in the advisory and has been removed from the list of targets for this year's Pwn2Own competition, according to SecurityWeek.

The timing of the patch is notable: Broadcom has sent security team members to the Pwn2Own Berlin event, where participants are expected to target ESX hypervisor exploits. VMware products have historically been a rich target at Pwn2Own, with Workstation earning significant rewards in previous years. The removal of Workstation from this year's target list may reflect either a reduced attack surface or strategic prioritization by the competition organizers.

Mitigations & Recommendations

Broadcom has released the patched version of VMware Fusion. Administrators should update to the latest available version immediately. Because the vulnerability requires local user access, organizations should also review their least-privilege policies and consider whether local user accounts are necessary on systems running Fusion. In multi-user environments, monitoring for unexpected attempts to execute setuid binaries — particularly those associated with VMware Fusion — may provide early detection of exploitation attempts. As with all VMware products, organizations should also monitor CISA's Known Exploited Vulnerabilities (KEV) catalog; it currently lists 26 VMware flaws, and CVE-2026-41702 could be added if in-the-wild exploitation is confirmed.