CVE-2026-35230 - Vulnerability Details

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-04-21

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A local vulnerability in the Core component of Oracle VM VirtualBox allows an attacker who already possesses high privileges on the host system to compromise the VirtualBox application. The attacker can achieve full control over the VirtualBox instance, leading to confidentiality, integrity, and availability losses. The impact extends beyond VirtualBox, potentially affecting other products running on the same infrastructure due to a scope change.

Affected Systems

Oracle VM VirtualBox version 7.2.6. Any installation of this version deployed on a system where a user can log on with high-level privileges is at risk.

Risk and Exploitability

The CVSS 3.1 Base Score of 7.5 reflects a significant risk, yet exploitation requires local access and elevated privileges, reducing the likelihood of broad attacks. Since the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the occurrence rate is uncertain. The attack vector is local; the attacker must log on to the host OS with high privileges to trigger the vulnerability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle VM VirtualBox

affected

Version	Status	Constraints
`7.2.6`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Vm Virtualbox

95%

Version	Status	Scheme	Platform
`7.2.6`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Oracle VM VirtualBox from version 7.2.6 to the latest released version or a version that no longer contains the core vulnerability.
If an upgrade is not immediately possible, restrict privileged access to the host OS and isolate the VirtualBox installation from other critical services.
Monitor the VirtualBox application and host system for anomalous activity that could indicate an attempt to exploit the vulnerability.

Generated by OpenCVE AI on April 22, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
Title	Privilege Escalation in Oracle VM VirtualBox 7.2.6 via Local High-Privilege Attack
Weaknesses	CWE-284 CWE-732

Wed, 22 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Title		Privilege Escalation in Oracle VM VirtualBox 7.2.6 via Local High-Privilege Attack
Weaknesses		CWE-284 CWE-732

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle vm Virtualbox
CPEs		cpe:2.3:a:oracle:vm_virtualbox:7.2.6:::::::*
Vendors & Products		Oracle Oracle vm Virtualbox
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Vm Virtualbox

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:43.702Z

Updated: 2026-04-21T20:35:43.702Z

Reserved: 2026-04-01T20:03:40.833Z

Link: CVE-2026-35230

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:38.583

Modified: 2026-04-21T21:16:38.583

Link: CVE-2026-35230

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object