Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-04-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Denial of Service via RDP
Action: Patch Now
AI Analysis

Impact

The Oracle VM VirtualBox 7.2.6 contains a flaw in the core component that allows an unauthenticated user with network access via Remote Desktop Protocol to trigger a hang or crash, resulting in a denial of service. The flaw stems from improper handling of RDP input, leading to a controllable failure in the virtual machine host. Attackers can repeatedly exploit this weakness to disrupt the availability of the virtualization environment.

Affected Systems

Oracle Corporation’s Oracle VM VirtualBox version 7.2.6.

Risk and Exploitability

The vulnerability has a CVSS 3.1 Base Score of 7.5, indicating a high impact on availability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated network connection via RDP, requiring no elevated privileges. While the exploitability at present appears moderate, the possibility of an easily triggered remote denial of service makes it a significant risk for environments that deploy this version of VirtualBox.

Generated by OpenCVE AI on April 22, 2026 at 04:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Oracle’s security portal for an available patch or update for VirtualBox 7.2.6 and apply it immediately.
  • If a patch is not yet released, block or restrict RDP traffic to the VirtualBox host using firewall rules or network segmentation to limit exposure to unauthenticated users.
  • Monitor the VirtualBox host for abnormal crashes or hangs and investigate any anomalous RDP activity to detect ongoing exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 04:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Title Remote Desktop–Triggered Denial of Service in Oracle VM VirtualBox 7.2.6
Weaknesses CWE-400

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.2.6:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:51.281Z

Reserved: 2026-04-01T20:03:40.833Z

Link: CVE-2026-35245

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:40.537

Modified: 2026-04-21T21:16:40.537

Link: CVE-2026-35245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:45:09Z

Weaknesses