The vulnerability resides in the VMSVGA device of Oracle VM VirtualBox and permits an attacker who already has high‑privilege access on the host to read a subset of VirtualBox‑managed data. The flaw is exploitable locally, requires low effort, and has been classified as low severity (CVSS 3.2) with a low exploit probability (<1%) according to EPSS. The attack vector is inferred to be local, as the description notes a need for logon to the infrastructure where VirtualBox runs; no remote exploitation is described. Because the vulnerability’s scope can change, successful exploitation might gain unauthorized read access to other products running on the same host.

Oracle’s VM VirtualBox version 7.2.8 is the only impacted release listed; the issue exists in the VMSVGA graphics device of that product. No other versions or components are indicated as affected.

With a CVSS score of 3.2 and EPSS below 1%, the risk is low for a single compromised host. However, because the flaw allows data exposure with high privileges, an attacker who can gain local logon could easily read sensitive VirtualBox information. The vulnerability is not listed in CISA’s KEV catalog, but administrators should consider prompt remediation given the potential breadth of data exposure and the possibility of scope escalation to other host‑resident products.