Advisory ID VMSA-2019-0019
Advisory Severity Moderate
CVSSv3 Range 6.3
Synopsis VMware ESXi, Workstation and Fusion updates address a denial-of-service vulnerability (CVE-2019-5536)
Issue Date 2019-10-24
Updated On 2019-10-24 (Initial Advisory)
CVE(s) CVE-2019-5536
1. Impacted Products
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
2. Introduction
VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability. Patches and workarounds are available to remediate this vulnerability in affected VMware products.
3. VMware ESXi, Workstation and Fusion shader denial-of-service vulnerability (CVE-2019-5536)


VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.


Known Attack Vectors:

Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.



To remediate CVE-2019-5536, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.



The workaround for this issue involves disabling the 3D-acceleration feature. Please see the 'Workarounds' column of the 'Resolution Matrix' found below.


Additional Documentations:




Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.



VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.


Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
Any CVE-2019-5536 6.3
see VMSA-2018-0025
ESXi 6.5 Any CVE-2019-5536 6.3 Moderate ESXi650-201910401-SG see VMSA-2018-0025 None
ESXi 6.0 Any CVE-2019-5536 N/A N/A Not affected N/A N/A
Workstation 15.x Any CVE-2019-5536 6.3 Moderate 15.5.0 see VMSA-2018-0025 None
Fusion 11.x OS X
CVE-2019-5536 6.3 Moderate 11.5.0 see VMSA-2018-0025 None

5. Change log

2019-10-24: VMSA-2019-0019 

Initial security advisory in conjunction with the release of ESXi 6.5 patch on 2019-10-24.

6. Contact


E-mail list for product security notifications and announcements:


This Security Advisory is posted to the following lists:



PGP key at:


VMware Security Advisories


VMware Security Response Policy


VMware Lifecycle Support Phases


VMware Security & Compliance Blog




Copyright 2019 VMware Inc. All rights reserved.


Sign up for Security Advisories

Enter your email address: