CVE DATABASE / CVE-2019-5544

CVE-2019-5544

VMware ESXi and Horizon DaaS OpenSLP Heap-Based Buffer Overflow Vulnerability

CVSS 9.8 · CRITICAL ⚠ CISA KEV — ACTIVELY EXPLOITED RANSOMWARE

On the CISA KEV catalog

Confirmed exploited in the wild. Added 2021-11-03. Federal remediation due 2022-05-03.
Required action: Apply updates per vendor instructions.

Summary

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

CVSS 3.1 breakdown

Base score	9.8 (CRITICAL)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

CWE-787

Affected products

Vmware horizon daasVmware esxiRedhat enterprise linux desktopRedhat enterprise linux for ibm z systemsRedhat enterprise linux for ibm z systems eusRedhat enterprise linux for power big endianRedhat enterprise linux for power big endian eusRedhat enterprise linux for power little endianRedhat enterprise linux for power little endian eusRedhat enterprise linux serverRedhat enterprise linux server ausRedhat enterprise linux server eusRedhat enterprise linux server tusRedhat enterprise linux workstationOpenslp openslpFedoraproject fedora

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2025-10-30. Always verify against the vendor advisory before acting.