Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Local vector and high privilege required to interact with VMSVGA device; scope change reflects cross-boundary integrity impact on host or peer VMs; no confidentiality or availability impact observed.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N).
AnalysisAI
Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly privileged local attacker to make unauthorized modifications to critical data, with scope change indicating impact extends beyond the initially targeted VM instance. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) confirms local-only attack surface requiring high privileges, but the confirmed scope change elevates the potential blast radius to the host or adjacent VMs. No public exploit has been identified at time of analysis, and the vulnerability is patched under Oracle's Critical Security Update for June 2026.
Technical ContextAI
The VMSVGA (VMware SVGA II) is an emulated virtual graphics adapter that VirtualBox presents to guest operating systems as a display controller. Implemented within the hypervisor's device emulation layer, the VMSVGA component handles guest-issued I/O port writes and memory-mapped I/O commands that control screen rendering. CPE data (cpe:2.3:a:oracle_corporation:oracle_vm_virtualbox:*:*:*:*:*:*:*:*) confirms this is Oracle's mainline VirtualBox product. The CWE classification is absent from available data, limiting root cause precision; however, the 'Authentication Bypass' tag in the ENISA EUVD intelligence record (EUVD-2026-37334) suggests the flaw may permit a privileged guest or host-level process to bypass device-level access controls within the VMSVGA emulation, leading to unauthorized data modification. The scope change (S:C) is architecturally significant: it indicates the exploit crosses a security boundary - likely guest-to-host or guest-to-guest - allowing integrity impacts on components outside the initial attack target.
RemediationAI
Apply Oracle's Critical Security Update for June 2026, available at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses this vulnerability in VirtualBox 7.2.8. The exact patched release version is not independently confirmed from the available data - consult the Oracle advisory directly for the specific fix version and installation instructions. As a compensating control pending patching, administrators can change the virtual graphics controller for affected guest VMs from VMSVGA to VBoxVGA or VMSVGA without 3D acceleration enabled, which reduces the attack surface of the vulnerable component; note this will disable 3D graphics acceleration for affected guests, potentially impacting GPU-dependent workloads. Additionally, restrict host-level and guest administrative access to only explicitly authorized personnel, reducing the pool of accounts that satisfy the PR:H prerequisite. In multi-tenant environments, treat isolation boundaries as potentially compromised until the patch is applied.
More in Oracle Vm Virtualbox
View allPrivileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high
Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a hig
Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privilege
The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the gu
Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a h
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileg
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local at
Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authentic
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged a
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37334