VMware has investigated CVE-2021-22040 and CVE-2021-22041 and determined that the possibility of exploitation can be mitigated by performing the steps detailed in the Resolution section of this article.

Please note, that this workaround is meant to be a temporary solution, until the updates documented in VMSA-2022-0004 can be deployed.
 

• VMware vSphere ESXi 6.x
• VMware vSphere ESXi 7.0.x
• VMware Workstation Pro 16.x
• VMware Fusion 12.x

As a temporary workaround you can remove all USB controllers from your virtual machines, until you are able to mitigate the issue by patching to a fixed product version.

Please be aware that this workaround should only be used as an exception, for it will make multiple features unavailable, such as:

• USB passthrough for physical USB devices
• Mounting virtual USB devices
• Mouse/Keyboard support for certain guest operating system types that do not support PS/2. Most guest OS types do not use the USB controller for input devices per default, but instead are working with software device emulation based on PS/2 - however, if the OS is unable to support PS/2, it will be left without keyboard/mouse support.

The procedures for removing the virtual USB controller for the specific affected products can be found in the following documents:

• VMware ESXi - Steps to remove a USB controller from a VMware ESXi virtual machine
• VMware Workstation Pro - Removing Hardware from a Virtual Machine
• VMware Workstation Player - Removing Unnecessary Hardware from VMware Workstation VM
• VMware Fusion - Remove the USB Controller on VMware Workstation and VMware Fusion