Skip to main content

Oracle VM VirtualBox CVE-2026-46873

| EUVDEUVD-2026-37366 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Local logon and high privileges (typically guest-root) needed, exploitation is non-trivial (AC:H), and successful VM escape crosses scope with full host CIA impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:34 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin/root inside guest VM
Delivery
Enumerate VMSVGA device exposure
Exploit
Issue crafted VMSVGA FIFO/3D command sequence
Execution
Trigger flaw in host emulator
Persist
Escape guest to host process (scope change)
Impact
Take over VirtualBox and adjacent components

Vulnerability AssessmentAI

Exploitation Exploitation requires the VMSVGA graphics controller to be the active display adapter for the targeted guest VM (it is the VirtualBox default for modern guests, so most deployments qualify), local logon to the system running VirtualBox 7.2.8, and high privileges on that system per the CVSS PR:H metric - in VM-escape vulnerabilities this typically means root/Administrator inside a guest rather than on the host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H tells a nuanced story: the attacker must already have local logon and high privileges on the system where VirtualBox executes, and the attack is hard to engineer, but if it succeeds it crosses a trust boundary (S:C) and yields full CIA compromise of the host or adjacent products - the textbook VM-escape profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained administrative privileges inside a guest VM - for example via a phished developer workstation hosting a sandbox VM, or by abusing a multi-tenant lab host - issues a crafted sequence of VMSVGA FIFO/3D commands from the guest to trigger the flaw in the host's emulator code. Because the bug is scope-changing, successful exploitation lets the attacker break out of the guest and execute code or otherwise compromise the host VirtualBox process and adjacent products. …
Remediation Patch available per vendor advisory - apply the fixes shipped in the Oracle Critical Patch Update of June 2026 documented at https://www.oracle.com/security-alerts/cspujun2026.html, which supersedes Oracle VM VirtualBox 7.2.8; consult the CPU matrix for the exact post-7.2.8 fixed build before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Disable the VMSVGA virtual graphics device on all VirtualBox 7.2.8 instances and perform inventory of affected deployments; move VirtualBox 7.2.8 systems to isolated, non-production networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy