VMware security advisory about vulnerability CVE-2021-22045 in VMware Workstation & Co.

Sicherheit (Pexels, allgemeine Nutzung)[German]Vendor VMware has issued a security alert for vulnerability CVE-2021-22045 as of January 4, 2022. This vulnerability, located in the CD-ROM driver, threatens the security of VMware Workstation, Fusion and ESXi Server through a heap overflow. However, updates are available to close this vulnerability. In addition, as a workaround, the CD-ROM feature can be disabled. Here is some information on this.


I was alerted to the following tweet by a blog reader (Aldox3) (thanks for that).

VMware Advisory VMSA-2022-0001

In security advisory VMSA-2022-0001, VMware advises of vulnerability CVE-2021-22045 that threatens the following VMware products:

  • VMware ESXi
  • VMware Workstation
  • VMware Fusion
  • VMware Cloud Foundation

The vulnerability, which leads to a heap overflow, has been privately reported to VMware. The vulnerability is located in CD-ROM device emulation in VMware Workstation, Fusion, and ESXi Server. A malicious actor with access to a virtual machine running CD-ROM device emulation could exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine. CVE-2021-22045 has a CVSSv3 base score of 7.7 and is rated with a severity range of Important.

To address CVE-2021-22045, VMware has provided updates for the affected products. Here are the fixed versions:


  • VMware ESXi 6.5
  • VMware ESXi 6.7
  • VMware Workstation 16.2.0
  • VMware Fusion 12.2.0

Details on the patches can be found on the VMware page of the advisory. VMware has also published knowledgebase articles for the affected products that provide workarounds (disable CD-ROM). The VMware knowledgebase articles are also linked on the VMware page of the advisory.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Update, Virtualization and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *