Broadcom has patched a high-severity time-of-check time-of-use (TOCTOU) flaw (CVE-2026-41702) in VMware Fusion that allows local attackers with non-administrative privileges to escalate to root access via a SETUID binary. The vulnerability requires local access to exploit and significantly increases the risk from compromised user accounts or insider threats on macOS systems running the affected software.
Vulnerability Management Broadcom patches high-severity VMware Fusion flaw allowing local privilege escalation May 14, 2026 Share By SC Staff Signage is displayed outside the Broadcom offices on June 7, 2018, in San Jose, Calif. (Photo by Justin Sullivan/Getty Images) According to Security Affairs, Broadcom has released a critical security update for VMware Fusion to address a high-severity vulnerability, identified as CVE-2026-41702. This flaw could permit local attackers to escalate their privileges to root on affected systems. The vulnerability is a time-of-check time-of-use (TOCTOU) flaw affecting operations performed by a SETUID binary. A local attacker with non-administrative privileges can exploit this bug to gain root access on a system where VMware Fusion is installed. Successful exploitation allows attackers with limited access to achieve complete control over vulnerable machines, significantly increasing the risk from compromised user accounts or insider threats. TOCTOU vulnerabilities arise when a system checks a resource's state and then uses it without verifying that the state hasn't changed. VMware Fusion is commonly used by developers, IT professionals, and security researchers on macOS. While this vulnerability requires local access and doesn't expose systems to direct remote compromise, privilege escalation remains a critical concern for attackers. Source: Security Affairs SC Staff Related Patch/Configuration Management Fleet Device Management launches autonomous endpoint management platform SC Staff May 14, 2026 Fleet's new platform aims to shorten patch cycles from an industry average of 55 to 94 days to under two weeks, and in some cases, hours. Vulnerability Management Two vulnerabilities found in popular WordPress plugin Avada Builder SC Staff May 14, 2026 The vulnerabilities, disclosed by Wordfence, include an arbitrary file read flaw (CVE-2026-4782) requiring subscriber-level access and a high-severity SQL injection flaw (CVE-2026-4798) exploitable without authentication. Vulnerability Management Critical ‘NGINX Rift’ vulnerability discovered, present for 18 years SC Staff May 14, 2026 The vulnerability, with a CVSS v4 score of 9.2, resides in the ngx_http_rewrite_module and affects a significant portion of internet infrastructure due to NGINX's widespread use as a reverse proxy, load balancer, and more. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds