The CD-ROM device emulation in VMware Workstation, Fusion and ESXi has a heap-overflow vulnerability (CVE-2021-22045). VMware has evaluated the vulnerability with a CVSSv3 score of 7.7.

A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

To remediate this vulnerability VMware company advices to apply the patches listed in the 'Fixed Version' – vmware.com.