Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).
Published: 2026-06-16
Score: 3.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the Core component of Oracle VM VirtualBox 7.2.8 allows an attacker who already has a high-privileged login on the host system to compromise the VirtualBox process. The flaw enables limited unauthorized read access to data that the VirtualBox instance can access. Because the vulnerability has a scope change, the compromise may extend to other components that rely on VirtualBox. The confidentiality impact is low, and there is no impact on integrity or availability.

Affected Systems

Oracle Corporation’s Oracle VM VirtualBox version 7.2.8 is affected. No other products or versions are mentioned as vulnerable.

Risk and Exploitability

The CVSS 3.1 base score is 3.2, indicating a low‑severity issue, and the EPSS score is below 1 %, showing a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is local: the attacker must log on to the host with high privileges. The vulnerability is described as easily exploitable once these prerequisites are met, but the impact remains confined to data read without affecting other system functions.

Generated by OpenCVE AI on June 17, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Oracle VM VirtualBox release that incorporates the fix for this vulnerability.
  • Restrict local privileged accounts on the host that runs VirtualBox, ensuring only necessary administrative users have elevated rights.
  • Enable and review auditing/logging for the VirtualBox processes to detect potential unauthorized data accesses.

Generated by OpenCVE AI on June 17, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.2.8:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 3.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:14:11.332Z

Reserved: 2026-05-18T15:55:10.308Z

Link: CVE-2026-46874

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T04:00:02Z

Weaknesses

No weakness.