VMSA-2026-0002: VMware Workstation and Fusion updates address multiple vulnerabilities (CVE-2026-22715, CVE-2026-22716, CVE-2026-22717, CVE-2026-22722)
36986
26 February 2026
26 February 2026
OPEN
MEDIUM
2.7 - 6.1
None
CVE-2026-22715, CVE-2026-22716, CVE-2026-22717, CVE-2026-22722
| Advisory ID: | VMSA-2026-0002 |
| Advisory Severity: | Moderate |
| CVSSv3 Range: | 2.7 - 6.1 |
| Synopsis: | VMware Workstation and Fusion updates address multiple vulnerabilities (CVE-2026-22715, CVE-2026-22716, CVE-2026-22717, CVE-2026-22722) |
| Issue date: | 2026-02-26 |
| Updated on: | 2026-02-26 (Initial Advisory) |
| CVE(s) | CVE-2026-22715, CVE-2026-22716, CVE-2026-22717, CVE-2026-22722 |
1. Impacted Products
-
VMware Workstation
- VMware Fusion
2. Introduction
Multiple vulnerabilities in VMware Workstation and Fusion were privately reported to Broadcom. Updates are available to remediate these vulnerabilities in the affected Broadcom products.
3a. VMware Workstation for Windows NULL Pointer Dereference vulnerability (CVE-2026-22722)
Description:
VMware Workstation for Windows contains a NULL Pointer Dereferencing vulnerability. Broadcom has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.
Known Attack Vectors:
A malicious authenticated actor on a Windows-based Workstation host may be able cause a NULL pointer dereference error.
Resolution:
To remediate CVE-2026-22722, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
Broadcom would like to thank dread (d7ead) for reporting this issue to us.
Notes:
None
3b. VMware Workstation/Fusion NAT vulnerability (CVE-2026-22715)
Description:
VMware Workstation and Fusion contain a logic flaw in the management of network packets. Broadcom has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.
Known Attack Vectors:
A malicious actor with administrative privileges on a guest VM may be able to interrupt or intercept network connections of other guest VMs.
Resolution:
To remediate CVE-2026-22715 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
Broadcom would like to thank Ao Wang, Yuxiang Yang, Ke Xu, Xuewei Feng, Qi Li, and Xueying Li for reporting this issue to us.
Notes:
None
3c. VMware Workstation out-of-bounds write vulnerability (CVE-2026-22716)
Description:
VMware Workstation contains an out-of-bounds write vulnerability. Broadcom has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.0.
Known Attack Vectors:
A malicious actor with non-administrative privileges on a guest VM may trigger an out-of-bounds write which may lead to a crash of some Workstation processes in the machine where Workstation is installed.
Resolution:
To remediate CVE-2026-22716 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
Broadcom would like to thank Maxim Suhanov (@errno_fail) for reporting this issue to us.
Notes:
None
3d. VMware Workstation out-of-bounds read vulnerability (CVE-2026-22717)
Description:
VMware Workstation contains an out-of-bound read vulnerability. Broadcom has evaluated the severity of this issue to be in the Low severity range with a maximum CVSSv3 base score of 2.7.
Known Attack Vectors:
A malicious actor with non-administrative privileges on a guest VM may trigger an out-of-bounds read which may lead to limited information disclosure in the machine where Workstation is installed.
Resolution:
To remediate CVE-2026-22717 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
Broadcom would like to thank Maxim Suhanov (@errno_fail) for reporting this issue to us.
Notes:
None
Response Matrix:
|
Product |
Version |
Running On |
CVE |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
Additional Documentation |
|
VMware Workstation |
17.x, 25H2 | Any |
CVE-2026-22715, |
5.9, 5.0, 2.7 | Moderate |
25H2u1 |
None |
None |
|
VMware Workstation |
17.x, 25H2 | Windows |
CVE-2026-22722 |
6.1 | Moderate |
25H2u1 |
None |
None |
|
VMware Fusion |
13.x, 25H2 | MacOS |
CVE-2026-22715 |
5.9 | Moderate |
25H2u1 |
None |
None |
4. References:
VMware Workstation 25H2u1
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Workstation%20Pro&displayGroup=VMware%20Workstation%20Pro%2025H2%20for%20Windows&release=25H2u1&os=&servicePk=540566&language=EN&freeDownloads=true
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Workstation%20Pro&displayGroup=VMware%20Workstation%20Pro%2025H2%20for%20Linux&release=25H2u1&os=&servicePk=540565&language=EN&freeDownloads=true
https://techdocs.broadcom.com/us/en/vmware-cis/desktop-hypervisors/workstation-pro/25H2/release-notes/vmware-workstation-pro-25h2u1-release-notes.html
VMware Fusion 25H2u1
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Fusion&displayGroup=VMware%20Fusion%2025H2&release=25H2u1&os=&servicePk=540563&language=EN&freeDownloads=true
https://techdocs.broadcom.com/us/en/vmware-cis/desktop-hypervisors/fusion-pro/25H2/release-notes/vmware-fusion-25h2u1-release-notes.html
Mitre CVE Dictionary Links:
https://www.cve.org/CVERecord?id=CVE-2026-22715
https://www.cve.org/CVERecord?id=CVE-2026-22716
https://www.cve.org/CVERecord?id=CVE-2026-22717
https://www.cve.org/CVERecord?id=CVE-2026-22722
FIRST CVSSv3 Calculator:
CVE-2026-22715: https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
CVE-2026-22716: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
CVE-2026-22717: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
CVE-2026-22722: https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
6. Contact:
E-mail: [email protected]
PGP key
https://knowledge.broadcom.com/external/article/321551
VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories
VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response
VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle
VMware Security Blog
https://blogs.vmware.com/security
X
https://x.com/VMwareSRC
Copyright 2026 Broadcom. All rights reserved.