Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L).
Published: 2026-01-20
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized read access and partial denial of service with high privileged attacker in Oracle VM VirtualBox
Action: Apply Patch
AI Analysis

Impact

This vulnerability in Oracle VM VirtualBox’s Core component enables a local user with high privileges to compromise the VirtualBox process. The flaw allows the attacker to read a subset of data that VirtualBox can access and to trigger a partial denial of service, degrading the availability of the virtualization platform. The weakness corresponds to an access control issue, as indicated by CWE‑269. The impact is limited to a single host where VirtualBox is installed, with potential downstream effects if the compromised VirtualBox is used to provide services to other products.

Affected Systems

Oracle Corporation’s Oracle VM VirtualBox version 7.1.14 and 7.2.4 are affected. These product releases contain the Core component that contains the vulnerability. No other versions or products were listed as affected.

Risk and Exploitability

The quantified CVSS score of 4.6 reflects modest confidentiality and availability impact, while the EPSS score of less than one percent shows that exploitation is expected to be rare. The attack requires local presence and high privilege on the host, and the vulnerability’s scope changes to affected components, meaning compromise is limited to the VirtualBox instance. Given the low probability of exploitation and absence from the KEV catalog, the immediate risk to external attackers is low, but internal high‑privileged users retain a potential threat.

Generated by OpenCVE AI on April 18, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle VM VirtualBox to the latest patch or version that addresses the Core access control flaw.
  • Limit local user accounts with high privileges on hosts running VirtualBox and enforce least‑privilege principles.
  • Monitor VirtualBox logs for abnormal read or denial‑of‑service activity and address any configuration that might expose sensitive data.

Generated by OpenCVE AI on April 18, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
Title High-Privilege Unauthorized Read and Partial Denial of Service in Oracle VM VirtualBox

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.1.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:vm_virtualbox:7.2.4:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T14:31:45.610Z

Reserved: 2026-01-05T18:07:34.716Z

Link: CVE-2026-21981

cve-icon Vulnrichment

Updated: 2026-01-21T14:31:12.195Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:16:01.510

Modified: 2026-01-29T14:40:39.603

Link: CVE-2026-21981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses