CVE-2026-21984 - Vulnerability Details

- Privilege Escalation and Scope Change Exploit in Oracle VM VirtualBox Core

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-01-20

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in the Core component of Oracle VM VirtualBox, with a CVSS v3.1 base score of 7.5, allows a high‑privileged attacker who has logged on to the host environment to compromise the VirtualBox instance. The flaw grants the attacker control over Confidentiality, Integrity, and Availability of the virtualization platform, and the description notes that the attack can cause a scope change, meaning other applications running on the same host may also be affected.

Affected Systems

Oracle Corporation’s Oracle VM VirtualBox versions 7.1.14 and 7.2.4 are affected. The vulnerability pertains to the Core component of this virtualization product, and only the specified major releases should be considered at risk.

Risk and Exploitability

While the EPSS score is reported as less than 1%, indicating a low exploitation probability in the wild, the risk is nevertheless high because the vulnerability requires local privileged access— a condition that is common in many internal environments. The affected versions can be fully compromised, potentially allowing attackers to alter virtual machine configurations, exfiltrate data, or pivot to other hosts. The vulnerability is not listed in the CISA KEV catalog, but its high impact score and scope‑changing nature warrant immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle VM VirtualBox

affected

Version	Status	Constraints
`7.1.14`	affected	—
`7.2.4`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:oracle:vm_virtualbox:7.1.14:::::::*
	cpe:2.3:a:oracle:vm_virtualbox:7.2.4:::::::*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle VM VirtualBox update that includes the fix for CVE‑2026‑21984 (see Oracle's January 2026 CPU advisory).
Restrict and monitor local privileged user access on hosts running VirtualBox, ensuring that only trusted administrators can log on.
Enable host‑based intrusion detection and review VirtualBox logs for unusual configuration changes or unauthorized activity.

Generated by OpenCVE AI on April 18, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 04:45:00 +0000

Type	Values Removed	Values Added
Title		Privilege Escalation and Scope Change Exploit in Oracle VM VirtualBox Core

Wed, 21 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle vm Virtualbox
CPEs		cpe:2.3:a:oracle:vm_virtualbox:7.1.14:::::::* cpe:2.3:a:oracle:vm_virtualbox:7.2.4:::::::*
Vendors & Products		Oracle Oracle vm Virtualbox
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Vm Virtualbox

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:40.060Z

Updated: 2026-02-26T14:44:37.220Z

Reserved: 2026-01-05T18:07:34.717Z

Link: CVE-2026-21984

Vulnrichment

Updated: 2026-01-21T14:21:46.330Z

NVD

Status : Analyzed

Published: 2026-01-20T22:16:01.880

Modified: 2026-01-29T14:40:13.757

Link: CVE-2026-21984

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object