Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Published: 2026-06-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the VMSVGA device component of Oracle VM VirtualBox. The flaw is locally exploitable by an attacker who has high privileged access to the machine hosting VirtualBox. Successful exploitation can change the internal privilege scope and grant the attacker unauthorized access to all data that VirtualBox can see, resulting in a confidentiality breach. The vulnerability is documented with a CVSS 3.1 Base Score of 6.0, reflecting moderate severity but significant potential impact on data confidentiality.

Affected Systems

The affected product is Oracle Corporation's Oracle VM VirtualBox, version 7.2.8.

Risk and Exploitability

The CVSS score of 6.0 indicates a medium severity risk, and the EPSS score of less than 1% suggests a low but nonzero likelihood of exploitation. The vulnerability is not currently listed in CISA’s KEV catalog. Because the vector is Local with High privilege and no user interaction required, an attacker who already has local administrative rights can leverage the flaw, making the risk primarily relevant to environments where local high privilege is easy to obtain. The scope change feature means that the exploit can grant higher-level permissions than originally granted, amplifying the potential damage.

Generated by OpenCVE AI on June 17, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle VM VirtualBox to the latest version that contains the VMSVGA fix.
  • Limit local administrative or privileged access on hosts running VirtualBox to the minimum necessary for operation.
  • Disable or remove VirtualBox if it is not required for business operations to eliminate the attack surface.

Generated by OpenCVE AI on June 17, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.2.8:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:16:39.149Z

Reserved: 2026-05-18T15:55:10.308Z

Link: CVE-2026-46877

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:00:15Z

Weaknesses

No weakness.