[Security Advisory] open-vm-tools: Local privilege escalation (CVE-2025-41244)

[VMware PSIRT <vmware.psirt () broadcom com>]

Description
==============================================================
CVE-2025-41244: open-vm-tools contains a local privilege escalation
vulnerability. VMware has evaluated the severity of this issue to be
in the Important severity range with a maximum CVSSv3 base score of
7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Known Attack Vectors
==============================================================
A malicious actor with non-administrative privileges on a guest VM may
exploit this vulnerability to escalate privileges to root on the same
VM.

Security Advisory
==============================================================
 VMSA-2025-0015 -
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

Upstream fix for CVE-2025-41244
==============================================================
https://github.com/vmware/open-vm-tools/tree/CVE-2025-41244.patch

The following patches are provided for released versions of open-vm-tools:
- For all open-vm-tools versions 12.4.0, 12.4.5. 12.5.0, 13.0.0:
CVE-2025-41244-1240-1300-SDMP.patch
- For all open-vm-tools versions 12.3.0, 12.3.5:
CVE-2025-41244-1230-1235-SDMP.patch
- For all open-vm-tools versions 12.0.0, 12.0.5, 12.1.0, 12.1.5,
12.2.0, 12.2.5: CVE-2025-41244-1200-1225-SDMP.patch
- For all open-vm-tools versions 11.2.0, 11.2.5, 11.3.0, 11.3.5:
CVE-2025-41244-1120-1135-SDMP.patch

Thanks,
Praveen Singh
VMware Cloud Foundation PSIRT
Email: vmware.psirt () broadcom com