CVE-2026-21982 - Vulnerability Details

- Access Control Vulnerability in Oracle VM VirtualBox Allows Full System Compromise

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Published: 2026-01-20

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Oracle VM VirtualBox’s Core component contains an Access Control flaw that allows an unauthenticated attacker with physical access to the communication segment connected to the host machine to compromise VirtualBox. The vulnerability can result in a complete takeover of the VirtualBox instance, exposing the host’s data, altering system integrity, and potentially disrupting availability. It is classified as CWE‑284 and has a CVSS v3.1 base score of 7.5, indicating a high impact if successfully exploited.

Affected Systems

Affected products include Oracle Corporation’s Oracle VM VirtualBox versions 7.1.14 and 7.2.4. The vulnerability resides in the Core component of these releases and can affect any system running VirtualBox on those versions.

Risk and Exploitability

The risk of exploitation is moderate due to the threat requiring physical access to the host’s communication segment, as indicated by the attack vector AV:A. While the EPSS score is below 1 % and the flaw is not listed in the CISA KEV catalog, the high CVSS score and the potential for a full takeover make timely remediation essential. Attackers would need to supply a specialized payload that exploits the access control bypass to gain control over VirtualBox, after which they could create or modify guest VMs, access sensitive data, or disrupt host operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle VM VirtualBox

affected

Version	Status	Constraints
`7.1.14`	affected	—
`7.2.4`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:oracle:vm_virtualbox:7.1.14:::::::*
	cpe:2.3:a:oracle:vm_virtualbox:7.2.4:::::::*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Oracle VM VirtualBox version 7.1.15 or later, or 7.2.5 or later, which contain the fix for the access‑control vulnerability.
If an immediate patch is unavailable, isolate the host machine from the physical communication segment to which VirtualBox is attached, effectively preventing physical‑segment attackers from accessing the environment.
Enforce strict privilege controls so that only authorised users can start or manage VirtualBox processes, reducing the likelihood of an unauthenticated attacker gaining a foothold.

Generated by OpenCVE AI on April 18, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 04:45:00 +0000

Type	Values Removed	Values Added
Title		Access Control Vulnerability in Oracle VM VirtualBox Allows Full System Compromise

Wed, 21 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared		Oracle Oracle vm Virtualbox
CPEs		cpe:2.3:a:oracle:vm_virtualbox:7.1.14:::::::* cpe:2.3:a:oracle:vm_virtualbox:7.2.4:::::::*
Vendors & Products		Oracle Oracle vm Virtualbox
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Oracle Vm Virtualbox

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:39.294Z

Updated: 2026-02-26T14:44:37.854Z

Reserved: 2026-01-05T18:07:34.716Z

Link: CVE-2026-21982

Vulnrichment

Updated: 2026-01-21T14:28:45.484Z

NVD

Status : Analyzed

Published: 2026-01-20T22:16:01.637

Modified: 2026-01-29T14:40:31.097

Link: CVE-2026-21982

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object