This vulnerability arises from improper privilege management within Oracle VM VirtualBox’s core component. A local attacker who has high‑privileged access on the host machine can exploit the flaw to gain unauthorized control of the VirtualBox service. The outcome is a breach of confidentiality, allowing the attacker to read or manipulate any data accessible through VirtualBox. The weakness corresponds to CWE‑269, reflecting the failure to enforce appropriate privilege levels.

The affected product is Oracle Corporation’s Oracle VM VirtualBox, versions 7.1.14 and 7.2.4. These releases are listed by Oracle as vulnerable. The described impact may extend to additional products or services that run on the same host, though the scope change is not limited to VirtualBox alone.

Risk assessment shows a CVSS 3.1 base score of 6.0, indicating moderate severity but significant confidentiality impact. The EPSS score is below 1%, implying a low current exploitation probability. Because the vulnerability requires local high‑privileged access and is not listed in the KeV catalog, the threat is primarily to environments where hosts are not hardened against privileged local attackers. The attacker must first compromise or have access to the host; once there, executing a crafted operation within VirtualBox provides complete access to all data exposed by the virtual machine service.