VMware on Sunday patched a critical out-of-bounds memory access vulnerability in the drag-and-drop function of its Workstation and Fusion virtualization software products. According to a VMware security advisory, the flaw – officially designated CVE-2016-7461 – could be exploited to allow users to execute code on the operating system running the programs.

Specifically, the affected products are Workstation Pro, Workstation Player, Fusion and Fusion Pro. Workstation is fixed with version 12.5.2, while Fusion is repaired with version 8.5.2. An alternative workaround is also available for all impacted products except Workstation Player: users can neutralize the flaw if they disable the drag-and-drop and copy-and-paste functions.

Fusion allows users to run virtualized versions of Windows and other operating systems on Macs. Workstation is virtual machine software that runs on x64 version of Windows and Linux.

VMware credited the vulnerability's original disclosure to Qinghao Tang and Xinlei Ying from the 360 Marvel Team and Iokihardt, all working with the organizers of PwnFest.