1. Impacted Products

• VMware vSphere ESXi (ESXi)
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro / Fusion (Fusion)

2. Introduction

VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability. Patches and workarounds are available to remediate this vulnerability in affected VMware products.

3. VMware ESXi, Workstation and Fusion shader denial-of-service vulnerability (CVE-2019-5536)

Description:

VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.

Known Attack Vectors:

Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.

Resolution:

To remediate CVE-2019-5536, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds:

The workaround for this issue involves disabling the 3D-acceleration feature. Please see the 'Workarounds' column of the 'Resolution Matrix' found below.

Additional Documentations:

None.

Notes:

Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Acknowledgements:

VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

Response Matrix: