Impact
A flaw in the VMSVGA device of Oracle VM VirtualBox 7.2.8 allows a local user with high privileges to modify or delete VirtualBox data, compromising data integrity. The vulnerability, categorized under improper access control, results in a CVSS 3.1 Base Score of 6.0 with an integrity impact and a scope change that can affect other host applications.
Affected Systems
Oracle VM VirtualBox version 7.2.8, released by Oracle Corporation, is the only product explicitly affected. The scope change note indicates that if the VirtualBox instance is compromised, other software running on the same host could also be impacted.
Risk and Exploitability
The CVSS vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) requires a local high-privileged attacker and no user interaction, limiting exploitation to insiders or compromised systems. The EPSS score of <1% signals a very low likelihood of real-world exploitation, and the vulnerability is not listed in CISA KEV. Nevertheless, the integrity impact and potential to affect other host applications warrant safeguarding the environment.
OpenCVE Enrichment