Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N).
Published: 2026-06-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the VMSVGA device of Oracle VM VirtualBox 7.2.8 allows a local user with high privileges to modify or delete VirtualBox data, compromising data integrity. The vulnerability, categorized under improper access control, results in a CVSS 3.1 Base Score of 6.0 with an integrity impact and a scope change that can affect other host applications.

Affected Systems

Oracle VM VirtualBox version 7.2.8, released by Oracle Corporation, is the only product explicitly affected. The scope change note indicates that if the VirtualBox instance is compromised, other software running on the same host could also be impacted.

Risk and Exploitability

The CVSS vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) requires a local high-privileged attacker and no user interaction, limiting exploitation to insiders or compromised systems. The EPSS score of <1% signals a very low likelihood of real-world exploitation, and the vulnerability is not listed in CISA KEV. Nevertheless, the integrity impact and potential to affect other host applications warrant safeguarding the environment.

Generated by OpenCVE AI on June 17, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle VM VirtualBox update that includes the fix for the VMSVGA device flaw
  • Limit or disable high-privileged accounts on the host to reduce the risk of local exploitation
  • If virtual machines do not require a VMSVGA device, disable or remove it to shrink the attack surface

Generated by OpenCVE AI on June 17, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via VMSVGA Device in Oracle VM VirtualBox 7.2.8
Weaknesses CWE-284
CWE-285
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.2.8:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N'}


Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:28:07.342Z

Reserved: 2026-05-18T15:55:10.303Z

Link: CVE-2026-46825

cve-icon Vulnrichment

Updated: 2026-06-17T15:27:57.768Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:30:13Z

Weaknesses