Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).
Published: 2026-06-16
Score: 3.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the VMSVGA device of Oracle VM VirtualBox, allowing an attacker with high privileged access on the host to read a subset of data accessible through VirtualBox. This results in confidentiality impact, as the attacker can obtain non‑authorized information from the virtual machine environment. The described weakness is an information‑disclosure flaw, as the attacker gains read access without modifying the underlying state of the system.

Affected Systems

Oracle Corporation’s Oracle VM VirtualBox version 7.2.8 is affected. The product is the VirtualBox virtualizationGA device within that release.

Risk and Exploitability

The CVSS base score of 3.2 indicates low severity, and the EPSS score of less than 1% shows it is statistically unlikely to be actively exploited. It does not appear in the CISA KEV catalog. The attack vector is inferred to be local, requiring an attacker to have high privileged logon on the host machine where VirtualBox is installed. Because the weakness only allows read access to a subset of data, the potential impact is limited to confidentiality rather than integrity or availability.

Generated by OpenCVE AI on June 17, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or update for Oracle VM VirtualBox 7.2.8 released by Oracle.
  • Limit privileged logon accounts to the host machine running VirtualBox to reduce the attack surface for local attackers.
  • Enable monitoring and log analysis on the host to detect unauthorized data access attempts or abnormal read activity.

Generated by OpenCVE AI on June 17, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).
First Time appeared Oracle
Oracle vm Virtualbox
CPEs cpe:2.3:a:oracle:vm_virtualbox:7.2.8:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle vm Virtualbox
References
Metrics cvssV3_1

{'score': 3.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Oracle Vm Virtualbox
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:40:01.708Z

Reserved: 2026-05-18T15:55:10.314Z

Link: CVE-2026-46977

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T02:45:02Z

Weaknesses

No weakness.