Oracle VirtualBox 7.2.6 contains a difficult‑to‑exploit flaw that allows a local attacker who already has high privileges to compromise the VirtualBox process, giving attackers full control over the host and its virtual machines. The vulnerability is rooted in insecure access control (CWE‑284). Successful exploitation can result in full takeover of the virtualization infrastructure, leading to confidentiality, integrity, and availability impacts.

The affected product is Oracle Corporation’s Oracle VM VirtualBox, version 7.2.6. Any host running this version is vulnerable to a local privilege escalation that can result in a complete compromise of the VirtualBox instance.

The CVSS base score of 7.5 reflects a local attack with high privileges, no user interaction, and a scope change, indicating that privilege escalation can affect the integrity and availability of the host. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and the vulnerability is not currently listed in CISA’s KEV catalog, suggesting limited evidence of active attacks. However, because the flaw involves primitive privilege assignment, weak access controls, and non‑secure file permissions, an attacker with sufficient local access could bypass these defenses and fully compromise the system.