Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 6.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).
Published: 2026-06-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the VMSVGA device of Oracle VM VirtualBox 7.2.8 allows a high‑privileged attacker who has logged on to the host system to force the VirtualBox application to hang or crash repeatedly. The flaw results in a complete denial of service of the virtual machine platform, impacting availability but not confidentiality or integrity of data stored by VirtualBox. The weakness is a local, high‑privilege denial‑of‑service flaw identified through improper handling and access control of VMSVGA requests.

Affected Systems

Oracle Corporation’s VirtualBox virtualization product, version 7.2.8, on any host platform supported by the product is affected. The issue is specific to the VMSVGA device implementation in that release.

Risk and Exploitability

The CVSS v3.1 base score is 6.0, indicating a medium‑severity vulnerability that solely impacts availability. The EPSS score is below 1 %, implying a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local high‑privilege access to the host; an attacker with such access can trigger the crash, but the lack of network exposure and the low EPSS score reduce the urgency of widespread exploitation. Nonetheless, any system running VirtualBox 7.2.8 that could be reached by a privileged user should be considered at risk of a local availability attack.

Generated by OpenCVE AI on June 19, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check with Oracle for any available patch or updated release that addresses the VMSVGA denial‑of‑service flaw and upgrade VirtualBox immediately.
  • Restrict host‑level access to VirtualBox by ensuring only trusted, low‑privileged accounts can execute the virtual machine host.
  • Implement host‑based containment measures, such as running VirtualBox in a sandboxed or isolated environment, to mitigate the impact of a potential local crash.
  • Review and enforce proper access controls on the VMSVGA device to prevent unauthorized manipulation by privileged users.

Generated by OpenCVE AI on June 19, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Local High‑Privilege Denial‑of‑Service in Oracle VM VirtualBox 7.2.8 VMSVGA Device

Fri, 19 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title High Privilege Local Crash in Oracle VM VirtualBox 7.2.8 via VMSVGA Device
Weaknesses CWE-674
CWE-779

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title High Privilege Local Crash in Oracle VM VirtualBox 7.2.8 via VMSVGA Device
Weaknesses CWE-674
CWE-779

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 6.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.2.8:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H'}


Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:35:05.626Z

Reserved: 2026-05-18T15:55:10.296Z

Link: CVE-2026-46768

cve-icon Vulnrichment

Updated: 2026-06-17T15:25:21.149Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T04:00:07Z

Weaknesses