Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
Published: 2026-01-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

A local attacker who can log on to the infrastructure hosting Oracle VM VirtualBox can trigger a crash of the VirtualBox process, causing the virtual machine to hang or repeatedly crash. The flaw does not disclose data or enable code execution, but it can bring the virtual machine to a complete denial of service. The vulnerability resides in the Core component of Oracle VM VirtualBox and has been demonstrated to impact Windows‑based virtual machines.

Affected Systems

Oracle VM VirtualBox versions 7.1.14 and 7.2.4 are affected. These versions are released by Oracle Corporation for use on Windows hosts that run Windows virtual machines.

Risk and Exploitability

The vulnerability carries a CVSS v3.1 score of 7.1, indicating high severity. EPSS shows a very low exploitation probability (<1%). It is not listed in the CISA KEV catalog. Although the attack vector is local (logon to the infrastructure), an attacker with local access can easily trigger the failure, meaning that in environments where the VirtualBox host is accessible to untrusted users, the risk is significant. Because the impact is a denial of service, the effect is limited to availability rather than confidentiality or integrity.

Generated by OpenCVE AI on April 18, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle VM VirtualBox to a version that includes the fix (newer than 7.2.4 or 7.1.14).
  • Restrict local access to the host machine so that only trusted administrators can log on, thereby preventing unauthorized exploitation of the denial‑of‑service flaw.
  • If an immediate upgrade is not possible, consider uninstalling or disabling VirtualBox on hosts that do not require it for operational purposes.
  • Monitor the host system for abnormal VirtualBox crashes and apply updates promptly once available.

Generated by OpenCVE AI on April 18, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated local denial of service in Oracle VM VirtualBox 7.x
Weaknesses CWE-400

Thu, 29 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.1.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:vm_virtualbox:7.2.4:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-23T21:55:06.965Z

Reserved: 2026-01-05T18:07:34.717Z

Link: CVE-2026-21986

cve-icon Vulnrichment

Updated: 2026-01-23T18:57:24.902Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:16:02.120

Modified: 2026-01-29T14:39:59.450

Link: CVE-2026-21986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses