A vulnerability was found in Parallels Desktop (the affected version is unknown) and classified as critical. Affected by this issue is an unknown code of the component virtio-gpu Virtual Device. The manipulation with an unknown input leads to a out-of-bounds write vulnerability. Using CWE to declare the problem leads to CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Parallels Desktop virtio-gpu Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Parallels Desktop. User interaction is required to exploit this vulnerability in that the target in a guest system must visit a malicious page or open a malicious file. The specific flaw exists within the virtio-gpu virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the hypervisor. . Was ZDI-CAN-21260.

The weakness was presented 12/19/2023 as ZDI-23-1804. The advisory is available at zerodayinitiative.com. This vulnerability is handled as CVE-2023-50227 since 12/05/2023. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available.

Upgrading eliminates this vulnerability. The upgrade is hosted for download at kb.parallels.com.

Productinfo

Vendor

• Parallels

Name

• Desktop

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion