CVE-2026-21955 - Vulnerability Details

- Exploitable Resource Consumption Allows Full VirtualBox Takeover

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-01-20

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An exploitable flaw in the core component of Oracle VM VirtualBox enables a high privileged attacker with local logon to the host infrastructure to compromise the VirtualBox process and potentially other applications. The vulnerability falls under uncontrolled resource consumption (CWE‑400) and can be leveraged to compromise confidentiality, integrity, and availability, leading to a full takeover of the virtual machine host environment.

Affected Systems

Oracle Corporation Oracle VM VirtualBox versions 7.1.14 and 7.2.4 are impacted. These releases are listed by Oracle as affected in the public advisory and are identified by the matching CPE strings.

Risk and Exploitability

The CVSS v3.1 base score is 8.2, indicating high severity for a local attacker with high privileges. The EPSS score is less than 1%, denoting a low estimated likelihood of exploitation, and the vulnerability is not yet in the CISA Known Exploited Vulnerabilities catalog. Attackers would need local, high privileged access to the host; once exploited, they can take complete control of Oracle VM VirtualBox and potentially other running applications.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle VM VirtualBox

affected

Version	Status	Constraints
`7.1.14`	affected	—
`7.2.4`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:oracle:vm_virtualbox:7.1.14:::::::*
	cpe:2.3:a:oracle:vm_virtualbox:7.2.4:::::::*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Oracle VM VirtualBox to the latest patched release as advised by Oracle
Limit local access to the VirtualBox process and associated networking sockets by enforcing least privilege on OS user accounts
Apply firewall rules to restrict inbound and outbound traffic to VirtualBox services and monitor logs for anomalous activity

Generated by OpenCVE AI on April 18, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 05:00:00 +0000

Type	Values Removed	Values Added
Title		Exploitable Resource Consumption Allows Full VirtualBox Takeover

Wed, 21 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle vm Virtualbox
CPEs		cpe:2.3:a:oracle:vm_virtualbox:7.1.14:::::::* cpe:2.3:a:oracle:vm_virtualbox:7.2.4:::::::*
Vendors & Products		Oracle Oracle vm Virtualbox
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Vm Virtualbox

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:30.679Z

Updated: 2026-02-26T14:44:40.041Z

Reserved: 2026-01-05T18:07:34.713Z

Link: CVE-2026-21955

Vulnrichment

Updated: 2026-01-21T15:25:50.984Z

NVD

Status : Analyzed

Published: 2026-01-20T22:15:58.347

Modified: 2026-01-29T16:02:41.310

Link: CVE-2026-21955

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object