Skip to main content

Oracle VM VirtualBox CVE-2026-46825

| EUVDEUVD-2026-37334 MEDIUM
Improper Access Control (CWE-284)
2026-06-16 oracle
6.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.0 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
6.0 MEDIUM

Local vector and high privilege required to interact with VMSVGA device; scope change reflects cross-boundary integrity impact on host or peer VMs; no confidentiality or availability impact observed.

3.1 AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:24 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N).

AnalysisAI

Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly privileged local attacker to make unauthorized modifications to critical data, with scope change indicating impact extends beyond the initially targeted VM instance. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) confirms local-only attack surface requiring high privileges, but the confirmed scope change elevates the potential blast radius to the host or adjacent VMs. No public exploit has been identified at time of analysis, and the vulnerability is patched under Oracle's Critical Security Update for June 2026.

Technical ContextAI

The VMSVGA (VMware SVGA II) is an emulated virtual graphics adapter that VirtualBox presents to guest operating systems as a display controller. Implemented within the hypervisor's device emulation layer, the VMSVGA component handles guest-issued I/O port writes and memory-mapped I/O commands that control screen rendering. CPE data (cpe:2.3:a:oracle_corporation:oracle_vm_virtualbox:*:*:*:*:*:*:*:*) confirms this is Oracle's mainline VirtualBox product. The CWE classification is absent from available data, limiting root cause precision; however, the 'Authentication Bypass' tag in the ENISA EUVD intelligence record (EUVD-2026-37334) suggests the flaw may permit a privileged guest or host-level process to bypass device-level access controls within the VMSVGA emulation, leading to unauthorized data modification. The scope change (S:C) is architecturally significant: it indicates the exploit crosses a security boundary - likely guest-to-host or guest-to-guest - allowing integrity impacts on components outside the initial attack target.

RemediationAI

Apply Oracle's Critical Security Update for June 2026, available at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses this vulnerability in VirtualBox 7.2.8. The exact patched release version is not independently confirmed from the available data - consult the Oracle advisory directly for the specific fix version and installation instructions. As a compensating control pending patching, administrators can change the virtual graphics controller for affected guest VMs from VMSVGA to VBoxVGA or VMSVGA without 3D acceleration enabled, which reduces the attack surface of the vulnerable component; note this will disable 3D graphics acceleration for affected guests, potentially impacting GPU-dependent workloads. Additionally, restrict host-level and guest administrative access to only explicitly authorized personnel, reducing the pool of accounts that satisfy the PR:H prerequisite. In multi-tenant environments, treat isolation boundaries as potentially compromised until the patch is applied.

Share

CVE-2026-46825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy