CVE-2026-35250 - Vulnerability Details

- Local Privileged Attacker Causes Partial Denial of Service in Oracle VM VirtualBox 7.2.6

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

Published: 2026-04-21

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability exists in the core component of Oracle VM VirtualBox version 7.2.6. It permits an attacker who has logged onto the host system with a high‑privileged account to trigger a partial denial of service of the VirtualBox service without requiring user interaction. The flaw causes an availability degradation, does not affect confidentiality or integrity, and is rooted in improper access control (CWE‑284).

Affected Systems

Oracle VM VirtualBox version 7.2.6 is the only documented affected product; no other releases or components are listed.

Risk and Exploitability

The CVSS v3.1 Base Score of 2.3 indicates low severity, while the EPSS score of <1% reflects an extremely low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local attacker with high‑privilege access to the host, which confines the threat to environments where such accounts exist. Though the risk is low, the availability impact can disrupt operations and warrants timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle VM VirtualBox

affected

Version	Status	Constraints
`7.2.6`	affected	—

Configuration 1 [-]

cpe:2.3:a:oracle:vm_virtualbox:7.2.6:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Oracle

Vm Virtualbox

95%

Version	Status	Scheme	Platform
`7.2.6`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Oracle VM VirtualBox to a patched version that resolves the denial‑of‑service issue.
Restrict the use of high‑privileged accounts on hosts that run VirtualBox, applying the principle of least privilege.
If VirtualBox is not required to run dynamically, consider disabling or sandboxing the VirtualBox service to reduce the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Tue, 28 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Local Privileged Attacker Causes Partial Denial of Service in Oracle VM VirtualBox 7.2.6

Tue, 28 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 06:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).
First Time appeared		Oracle Oracle vm Virtualbox
CPEs		cpe:2.3:a:oracle:vm_virtualbox:7.2.6:::::::*
Vendors & Products		Oracle Oracle vm Virtualbox
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 2.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Oracle Vm Virtualbox

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:53.562Z

Updated: 2026-04-22T15:32:09.463Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35250

Vulnrichment

Updated: 2026-04-22T15:20:43.855Z

NVD

Status : Analyzed

Published: 2026-04-21T21:16:41.280

Modified: 2026-04-23T12:59:07.163

Link: CVE-2026-35250

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object