Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
Published: 2026-04-21
Score: 3.2 Low
EPSS: n/a
KEV: No
Impact: Integrity
Action: Patch
AI Analysis

Impact

Vulnerability in the core component of Oracle VM VirtualBox version 7.2.6 allows a local attacker with high privileges on the host to trigger an improper authorization flaw that enables unauthorized update, insert, or delete operations on data accessible through VirtualBox. The weakness results in integrity violations and is categorized as CWE‑284.

Affected Systems

Oracle VM VirtualBox 7.2.6 from Oracle Corporation is the only documented affected version; other releases are not impacted.

Risk and Exploitability

The attack vector is local and requires a high privileged account on the host. The CVSS score of 3.2 indicates low severity, and no EPSS data is available. The vulnerability is not listed in CISA KEV. Although the risk is limited to environments where privileged local accounts exist, the capability to modify data compromises integrity if exploited.

Generated by OpenCVE AI on April 22, 2026 at 04:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle VM VirtualBox patch or upgrade to a newer release that addresses the integrity flaw.
  • Restrict local high‑privilege accounts on the hypervisor host to reduce the chance of exploitation.
  • Configure monitoring and auditing of VirtualBox logs to detect unauthorized data modifications.

Generated by OpenCVE AI on April 22, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Title Local Access Integrity Vulnerability in Oracle VM VirtualBox 7.2.6
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.2.6:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 3.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:52.995Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35249

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:41.103

Modified: 2026-04-21T21:16:41.103

Link: CVE-2026-35249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:45:09Z

Weaknesses