Impact statement: VMware/Broadcom has several May 2026 virtualization updates that matter for hosting providers, MSPs, labs, and anyone running customer workloads on virtual infrastructure. This is not a new ESXi/vCenter emergency CVE post. It is an operations checklist for VMware Cloud Foundation 9.1, vCenter virtual hardware handling, Workstation/Fusion 26H1, and adjacent VM platform updates that hosting admins should not miss.
Fix I.T. Phill already published a separate protect-only advisory for VMware Fusion CVE-2026-41702. The broader May 2026 story is about upgrade planning, tenant isolation, lifecycle management, and making sure your hypervisor estate does not drift while customer servers depend on it.
What Changed In VMware/Broadcom
- VMware Cloud Foundation 9.1: Broadcom announced VCF 9.1 with stronger private-cloud operations, AI and Kubernetes positioning, mixed compute support, security/compliance add-ons, and scale improvements for larger fleets.
- VCF Operations and lifecycle: Broadcom says VCF 9.1 can converge existing vCenter/ESX vSphere 8.0 Update 3 and later environments into a VCF management domain, import supported vCenter/ESX environments into workload domains, and scale management up to 5,000 ESXi hosts.
- Faster cluster maintenance: Broadcom is positioning VCF 9.1 around larger parallel upgrade capacity, centralized logs, diagnostics, compliance visibility, fleet management, and a unified software depot.
- Provider economics: VMware Cloud Service Provider guidance for VCF 9.1 highlights tenant self-service, chargeback, upfront pricing, lifecycle efficiency, and reduced maintenance friction.
- vCenter virtual hardware: vCenter in vSphere with VCF 9.1 moves from virtual hardware version 10 to version 17. Reduced-downtime upgrades create a new vCenter VM and handle that automatically, but in-place updates from 9.0.x to 9.1.0 require a manual hardware compatibility upgrade.
- Workstation and Fusion 26H1: VMware Workstation Pro for Windows is now 64-bit, Workstation/Fusion gained VM lifecycle timestamps, and 26H1 includes functional and security fixes. VMware Fusion 26H1 is also the fixed line referenced by VMSA-2026-0003.
Hosting And Homelab Priority
For a hosting company, the management plane is part of the customer-facing service even when customers never see it. ESXi hosts, vCenter, NSX, Aria/VCF Operations, backup tooling, shared storage, and provider portals all affect customer uptime. For homelabs, the same rules apply at smaller scale: snapshot before major work, keep a rollback path, and do not upgrade every host in a cluster blindly.
- Do first: inventory ESXi, vCenter, VCF, NSX, Aria, Workstation, and Fusion versions. Include admin laptops and support Macs, not only production hosts.
- Protect first: take vCenter backups, verify datastore health, confirm backup jobs, and make sure you can recover the management plane before changing it.
- Patch in lanes: update desktop hypervisors separately from vCenter/ESXi/VCF. Keep customer workload clusters on a controlled maintenance schedule.
- Watch certificates and identity: VCF 9.1 emphasizes centralized identity, licensing, certificate operations, and compliance views. Treat those as operational dependencies, not paperwork.
- Communicate to customers: if VM migrations, storage maintenance, provider portal changes, or backup windows are involved, send a clear notice before the work.
vCenter 9.1 Hardware Version Gotcha
The vCenter virtual hardware change is easy to miss. Broadcom says vCenter in vSphere with VCF 9.1 uses virtual hardware version 17, shown as compatible with ESXi 7.0 and later. If you perform an in-place update from vCenter 9.0.x to 9.1.0, the vCenter VM hardware version may need to be upgraded manually, and that requires the vCenter VM to be powered off.
Do not casually select a newer virtual hardware level because it appears available in the UI. Broadcom specifically warns to choose version 17 for vCenter 9.1. Before doing the compatibility change, take a vCenter backup and, where appropriate, a snapshot that you are prepared to remove after verification.
Desktop Hypervisor Checks
Workstation and Fusion still matter in hosting shops. They sit on developer machines, support laptops, customer recovery stations, and lab Macs. VMware Workstation/Fusion 26H1 adds quality-of-life inventory features such as VM creation and last-powered-on timestamps, while also bringing current guest OS support and security fixes.
- Update VMware Fusion systems affected by CVE-2026-41702 to 26H1 or newer.
- Update VMware Workstation/Fusion lab systems before using them for customer recovery work.
- Use the new lifecycle timestamps to identify stale lab VMs, abandoned customer exports, and old test appliances.
- Review saved credentials and encrypted VM access on support workstations.
- Keep desktop hypervisor updates separate from production ESXi/vCenter maintenance so troubleshooting stays clean.
Other VM Platforms To Watch
This radar pass also found useful adjacent virtualization updates for shops that run mixed stacks or offer migration help away from VMware.
- XCP-ng 8.3 LTS: May 2026 security and maintenance updates fixed XAPI, Linux kernel, and Windows guest tools issues, and host reboots are required for that update set. XCP-ng also made QCOW2 generally available for production use with disks up to 16 TiB, while keeping VHD as the default and recommending gradual rollout.
- XCP-ng XOSTOR: A follow-up May 2026 update addressed a rolling pool update issue for XOSTOR pools. If you use XOSTOR, review both May update posts before touching the pool.
- Proxmox: The Fix I.T. Phill Proxmox guides were refreshed separately, including the Proxmox VE 8.4 to 9.1 upgrade guide, Proxmox Backup Server 3.4 to 4.2 guide, and Proxmox Mail Gateway 8.2 to 9.0 guide.
- Windows Secure Boot: Microsoft Secure Boot certificate work is a separate project, but VM hosts and guest fleets should still be tracked. Use the separate Fix I.T. Phill Microsoft Secure Boot certificate guide for that rollout.
Safe Verification Commands
Use these as inventory helpers. Run them only on systems you manage or are authorized to support.
vmware -v
vmware-installer -l
esxcli system version get
pveversion -v
xe host-list params=name-label,software-versionFor vCenter, Fusion, Workstation, VCF, NSX, Aria, and Horizon, confirm against the vendor UI and Broadcom Support Portal because product naming and entitlement paths have changed since the Broadcom transition.
Maintenance Checklist
- Confirm your target version and supported upgrade path before downloading anything.
- Back up vCenter, provider portal databases, configuration exports, NSX/Aria/VCF state, and customer-critical VM metadata.
- Verify storage health, free datastore capacity, backup job success, and replication status.
- Drain or migrate customer VMs before host-level changes where live patching is not available or not appropriate.
- Patch management components before workload clusters when the vendor upgrade path requires it.
- Keep one known-good admin workstation available that is not part of the desktop hypervisor update test.
- After maintenance, verify management login, VM console access, vMotion/live migration, backups, monitoring, DNS, time sync, certificates, and customer portals.
- Document the final version numbers so the next radar pass can quickly identify drift.
Source Links
- Broadcom announcement for VMware Cloud Foundation 9.1
- VMware Cloud Foundation 9.1 operations overview
- VMware Cloud Foundation 9.1 for VMware Cloud Service Providers
- vCenter virtual hardware upgrade in vSphere with VCF 9.1
- VMware Workstation and Fusion 26H1 announcement
- Broadcom VMSA-2026-0003 for VMware Fusion CVE-2026-41702
- XCP-ng May 2026 security and maintenance update
- XCP-ng May 2026 update 2 for XOSTOR rolling pool updates
- XCP-ng QCOW2 general availability note
Need help planning a VMware, Proxmox, XCP-ng, or mixed virtualization maintenance window for web hosting workloads? Fix I.T. Phill can help stage the work, protect backups, and communicate the plan before customer services are touched.
