CVE-2021-34986: Parallels Desktop Service Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
First published: Fri Jul 15 2022(Updated: )
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.5.0 (49183). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. By creating a symbolic link, an attacker can abuse the service to execute a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-13932.
Credit: zdi-disclosures@trendmicro.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Parallels Desktop | =16.5.0 | |
| Parallels Desktop |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-34986?
CVE-2021-34986 is a vulnerability that allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.5.0 (49183).
How can an attacker exploit CVE-2021-34986?
An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
What is the affected software?
The affected software is Parallels Desktop 16.5.0 (49183).
How severe is CVE-2021-34986?
CVE-2021-34986 has a severity rating of 7.8 (High).
How do I fix CVE-2021-34986?
To fix CVE-2021-34986, you should update Parallels Desktop to the latest version provided by the vendor.
- collector/nvd-index
- collector/zdi-advisory
- alias/ZDI-22-385
- alias/ZDI-CAN-13932
- alias/CVE-2021-34986
- agent/title
- agent/weakness
- agent/type
- vendor/parallels
- canonical/parallels desktop
- version/parallels desktop/16.5.0