1. Impacted Products

• VMware Workstation 

• VMware Fusion

2. Introduction

Multiple vulnerabilities in VMware Workstation and Fusion were privately reported to Broadcom. Updates are available to remediate these vulnerabilities in the affected Broadcom products.

3a. VMware Workstation for Windows NULL Pointer Dereference vulnerability (CVE-2026-22722)

Description: 
VMware Workstation for Windows contains a NULL Pointer Dereferencing vulnerability. Broadcom has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.

Known Attack Vectors:
A malicious authenticated actor on a Windows-based Workstation host may be able cause a NULL pointer dereference error.

Resolution: 
To remediate CVE-2026-22722, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
None

Additional Documentation:
None

Acknowledgements:  
Broadcom would like to thank dread (d7ead) for reporting this issue to us.

Notes:
None

3b. VMware Workstation/Fusion NAT vulnerability (CVE-2026-22715)

Description: 
VMware Workstation and Fusion contain a logic flaw in the management of network packets. Broadcom has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors:
A malicious actor with administrative privileges on a guest VM may be able to interrupt or intercept network connections of other guest VMs.

Resolution: 
To remediate CVE-2026-22715 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
None

Additional Documentation:
None

Acknowledgements:  
Broadcom would like to thank Ao Wang, Yuxiang Yang, Ke Xu, Xuewei Feng, Qi Li, and Xueying Li for reporting this issue to us.

Notes:
None

3c. VMware Workstation out-of-bounds write vulnerability (CVE-2026-22716)

Description: 
VMware Workstation contains an out-of-bounds write vulnerability. Broadcom has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.0.

Known Attack Vectors:
A malicious actor with non-administrative privileges on a guest VM may trigger an out-of-bounds write which may lead to a crash of some Workstation processes in the machine where Workstation is installed.

Resolution: 
To remediate CVE-2026-22716 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
None

Additional Documentation:
None

Acknowledgements:  
Broadcom would like to thank Maxim Suhanov (@errno_fail) for reporting this issue to us.

Notes:
None

3d. VMware Workstation out-of-bounds read vulnerability (CVE-2026-22717)

Description: 
VMware Workstation contains an out-of-bound read vulnerability. Broadcom has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 2.7.

Known Attack Vectors:
A malicious actor with non-administrative privileges on a guest VM may trigger an out-of-bounds read which may lead to limited information disclosure in the machine where Workstation is installed.

Resolution: 
To remediate CVE-2026-22717 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
None

Additional Documentation:
None

Acknowledgements:  
Broadcom would like to thank Maxim Suhanov (@errno_fail) for reporting this issue to us.

Notes:
None

Response Matrix:

4. References:

VMware Workstation 25H2u1
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Workstation%20Pro&displayGroup=VMware%20Workstation%20Pro%2025H2%20for%20Windows&release=25H2u1&os=&servicePk=540566&language=EN&freeDownloads=true
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Workstation%20Pro&displayGroup=VMware%20Workstation%20Pro%2025H2%20for%20Linux&release=25H2u1&os=&servicePk=540565&language=EN&freeDownloads=true
https://techdocs.broadcom.com/us/en/vmware-cis/desktop-hypervisors/workstation-pro/25H2/release-notes/vmware-workstation-pro-25h2u1-release-notes.html

VMware Fusion 25H2u1
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Fusion&displayGroup=VMware%20Fusion%2025H2&release=25H2u1&os=&servicePk=540563&language=EN&freeDownloads=true
https://techdocs.broadcom.com/us/en/vmware-cis/desktop-hypervisors/fusion-pro/25H2/release-notes/vmware-fusion-25h2u1-release-notes.html

Mitre CVE Dictionary Links:
https://www.cve.org/CVERecord?id=CVE-2026-22715 
https://www.cve.org/CVERecord?id=CVE-2026-22716 
https://www.cve.org/CVERecord?id=CVE-2026-22717 
https://www.cve.org/CVERecord?id=CVE-2026-22722 

FIRST CVSSv3 Calculator:

CVE-2026-22715: https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
CVE-2026-22716: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
CVE-2026-22717: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
CVE-2026-22722: https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

6. Contact:

E-mail: [email protected]

PGP key
https://knowledge.broadcom.com/external/article/321551

VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories

VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response

VMware Lifecycle Support Phases

https://support.broadcom.com/group/ecx/productlifecycle

VMware Security Blog

https://blogs.vmware.com/security

X
https://x.com/VMwareSRC

Copyright 2026 Broadcom. All rights reserved.