VMware has investigated CVE-2021-22040 and CVE-2021-22041 and has determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article.
This workaround is meant to be a temporary solution until updates documented in VMSA-2022-0004 can be deployed.
Resolution is documented in VMSA-2022-0004.
For details on the VMware ESXi fixes available, please see KB87613
The workaround for both CVE-2021-22040 and CVE-2021-22041 is to remove all USB controllers from the Virtual Machine. As a result, USB pass through functionality will be unavailable.
In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle will not be available for use by the virtual machine while the default keyboard/mouse as input devices are not affected as they are per default not connected through USB protocol but have a driver that does software device emulation in the guest OS.
IMPORTANT:
Certain guest operating systems, including Mac OS do not support using a PS/2 mouse and keyboard. Without a USB controller. these guest operating systems will be left without a mouse and keyboard.
The procedure for removing the virtual USB controllers for the affected products is described here:
VMware ESXi:
Steps to remove a USB controller from a VMware ESXi virtual machine
VMware Workstation Pro:
https://docs.vmware.com/en/VMware-Workstation-Pro/16.0/com.vmware.ws.using.doc/GUID-845C34CF-3CAE-4EA9-BA95-2727010963C4.html
VMware Workstation Player:
https://docs.vmware.com/en/VMware-Workstation-Player-for-Windows/16.0/com.vmware.player.win.using.doc/GUID-845C34CF-3CAE-4EA9-BA95-2727010963C4.html
VMware Fusion:
https://docs.vmware.com/en/VMware-Fusion/12/com.vmware.fusion.using.doc/GUID-2DAA7A97-B57D-4AD8-887D-302F2C6F2B43.html