Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).
Published: 2026-06-16
Score: 3.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Oracle VM VirtualBox 7.2.8 contains a vulnerability in the VMSVGA device that can be exploited by an attacker who already has high privileged access to the host system. An attacker can gain unauthorized read access to a subset of data exposed by the VirtualBox instance, leading to confidentiality compromise of that data. The weakness falls under improper access control and improper information disclosure.

Affected Systems

Oracle Corporation’s VirtualBox 7.2.8; any installations of this version where the VMSVGA device is enabled.

Risk and Exploitability

The CVSS v3.1 base score is 3.2, indicating a low severity vulnerability that primarily affects confidentiality. The EPSS score is less than 1 %, suggesting low likelihood of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. However, because the attack requires local, high privileged credentials, an attacker who gains host access could exploit this weakness to read sensitive data. Remote exploitation is not supported, and the attack vector is inferred to be local.

Generated by OpenCVE AI on June 17, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Oracle VM VirtualBox to 7.2.9 or later.
  • If the VirtualBox instance is not required to expose the VMSVGA device, disable or remove the device from the configuration.
  • Restrict host-level access to VirtualBox management services and ensure only trusted administrators can log into the host system.

Generated by OpenCVE AI on June 17, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.2.8:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 3.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:26:16.815Z

Reserved: 2026-05-18T15:55:10.302Z

Link: CVE-2026-46815

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:30:15Z

Weaknesses

No weakness.