Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).
Published: 2026-01-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Partial Denial of Service
Action: Patch immediately
AI Analysis

Impact

A flaw in the Core component of Oracle VM VirtualBox permits an attacker who has local logon access to the host system and thus high privileges to create, modify, or delete VirtualBox data and potentially disrupt its operation, achieving both confidentiality and integrity damage with a moderate availability impact. The vulnerability’s CVSS vector indicates a local attack that does not require user interaction, leverages high privileges, and has a compromise scope that can affect the entire VirtualBox environment. Attackers could thereby obtain or alter sensitive guest information, delete critical configuration files, or trigger a partial service interruption that could hamper host or guest workloads.

Affected Systems

Oracle VM VirtualBox versions 7.1.14 and 7.2.4 are impacted. These releases are maintained by Oracle Corporation and run on various host operating systems, providing virtualization services to organizations. Users of older 7.x releases should verify their installed version against the affected list.

Risk and Exploitability

The vulnerability carries a CVSS base score of 8.1, indicating high severity. The EPSS score is reported as less than 1 %, implying a very low but nonzero likelihood of exploitation in the wild; the vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the infrastructure hosting VirtualBox and the presence of a user with high privileges, making it a local privilege escalation scenario. Despite the low probability of widespread attacks, the potential impact on data integrity, confidentiality, and availability warrants prompt remediation.

Generated by OpenCVE AI on April 18, 2026 at 04:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Oracle VM VirtualBox to version 7.1.15 or later, or 7.2.5 or later, where the Core component CVE‑2026‑21989 fix is included.
  • If an immediate patch is unavailable, restrict local user accounts on the host, ensuring only trusted administrators have logon rights, and monitor for any unauthorized attempts to manipulate VirtualBox data.
  • Restrict VirtualBox usage by disabling unused features such as remote display or shared folders until the patch is applied, thereby limiting the attack surface for potential compromise.

Generated by OpenCVE AI on April 18, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation Vulnerability in Oracle VM VirtualBox
Weaknesses CWE-284
CWE-285

Thu, 29 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.1.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:vm_virtualbox:7.2.4:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-02-26T14:44:36.324Z

Reserved: 2026-01-05T18:07:34.717Z

Link: CVE-2026-21989

cve-icon Vulnrichment

Updated: 2026-01-29T16:30:48.427Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:16:02.470

Modified: 2026-01-29T14:39:14.727

Link: CVE-2026-21989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses