CVE-2026-35248 - Vulnerability Details

- Privilege Escalation and Partial Denial in Oracle VM VirtualBox 7.2.6

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L).

Published: 2026-04-21

Score: 5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Oracle VM VirtualBox 7.2.6 permits a high‑privileged attacker who already has logon access to the host infrastructure to compromise the VirtualBox host itself. Exploitation allows the attacker to perform unauthorized updates, inserts, or deletions on data the VirtualBox service manages, to read restricted data subsets, and to induce a partial denial of service. The impact spans confidentiality, integrity, and availability, and the scope change indicates that the security failure could propagate to other Oracle products that interact with VirtualBox.

Affected Systems

Oracle Corporation’s Oracle VM VirtualBox, version 7.2.6. The affected component is the Core module of the VirtualBox application.

Risk and Exploitability

The CVSS 3.1 base score of 5.0 denotes moderate severity, with low attacker–required efforts (attack vector LOCAL, high privilege), no user interaction, and a scope change. EPSS is not available and the vulnerability is not listed in CISA KEV. An attacker must already be logged in with elevated privileges on the host; from that position the flaw can be exploited to obtain partial data access and to disrupt functionality of VirtualBox. Because the scope changes, additional Oracle products may also be impacted indirectly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle VM VirtualBox

affected

Version	Status	Constraints
`7.2.6`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Vm Virtualbox

95%

Version	Status	Scheme	Platform
`7.2.6`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a version of Oracle VM VirtualBox that is later than 7.2.6
Limit the use of high‑privilege accounts that can control VirtualBox hosts to the minimum necessary set
Enable logging and audit trails for VirtualBox operations and review logs for unexpected update, delete, or connectivity events

Generated by OpenCVE AI on April 22, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 05:00:00 +0000

Type	Values Removed	Values Added
Title		Privilege Escalation and Partial Denial in Oracle VM VirtualBox 7.2.6
Weaknesses		CWE-264 CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L).
First Time appeared		Oracle Oracle vm Virtualbox
CPEs		cpe:2.3:a:oracle:vm_virtualbox:7.2.6:::::::*
Vendors & Products		Oracle Oracle vm Virtualbox
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L'}`

Subscriptions

Oracle Vm Virtualbox

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:52.538Z

Updated: 2026-04-21T20:35:52.538Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35248

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:40.957

Modified: 2026-04-21T21:16:40.957

Link: CVE-2026-35248

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T04:45:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object