Security Advisory 2022-001

Release Date:

Important Vulnerability in VMWare



  • 06/01/2022 --- v1.0 -- Initial publication


On the 4th of January 2022, VMware has released a security alert for a vulnerability affecting VMware Workstation, Fusion, ESXi Server and Cloud Foundation [1]. This vulnerability tracked as CVE-2021-22045 has an important CVSSv3 score of 7.7. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit a heap overflow vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

Successful exploitation requires CD image to be attached to the virtual machine.

Technical Details

This is a heap-overflow vulnerability located in CD-ROM device emulation in VMware Workstation, Fusion and ESXi that was privately reported to VMware.

Affected Products

The following products are affected by the vulnerability :

ProductAffected VersionsPlatform
VMware ESXi6.5, 6.7, 7Any
VMware Workstation16.xAny
VMware Fusion12.xOS X
VMware Cloud Foundation (ESXi)3.x, 4.xAny

All previous releases of VMware ESXi 6.5 and 6.7 are vulnerable.


VMware has released an update and workarounds that fixes the CVE-2021-22045 [2,3,4] and a general workaround [4] showing how to disable CD-ROM/DVD devices on all running virtual machines. The workaround is meant to be a temporary solution until updates documented in [1] can be deployed.

CERT-EU strongly recommends patching as per the table below:

ProductFixed VersionWorkaround
VMware ESXi 6.5ESXi650-202111101-SG6.5 P07 Build number 18678235 [2] as per [4]
VMware ESXi 6.7ESXi670-202110101-SG6.7 P06 Build Number 18828794 [3] as per [4]
VMware ESXi 7Pending[4]
VMware Workstation 16.x16.2.0[5]
VMware Fusion 12.x12.2.0[5]
VMware Cloud Foundation (ESXi) 3.x, 4.xPending[4]

There is no requirement to implement the workaround once the recommended upgrade is complete.







We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.