Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Local-only attack via VMSVGA device interaction requires high-privilege access; scope change reflects host boundary crossing with confidentiality-only impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
AnalysisAI
The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.
Technical ContextAI
The VMSVGA (VMware SVGA II) is a virtual graphics adapter emulated by Oracle VM VirtualBox to provide enhanced guest display capabilities including higher resolutions and 3D acceleration. As a device emulation component executing in the hypervisor layer (the VirtualBox process on the host), flaws in VMSVGA command or memory processing can allow a privileged guest-side caller to trigger reads outside the guest's permitted memory bounds, crossing the hypervisor isolation boundary. The confirmed affected product is cpe:2.3:a:oracle_corporation:oracle_vm_virtualbox:*:*:*:*:*:*:*:* at version 7.2.8, as reported by Oracle and corroborated by ENISA EUVD-2026-37369. The CWE is listed as N/A by Oracle, leaving the root cause class formally unclassified; given the confidentiality-only impact and scope change, the mechanism is consistent with an out-of-bounds read or memory disclosure in device emulation code, though this is inferred rather than confirmed. The 'Authentication Bypass' tag present in the intelligence metadata is potentially misleading and conflicts with the PR:H CVSS metric - it may refer to bypassing VM memory isolation rather than traditional credential-based authentication, but this is unresolved from available data.
RemediationAI
Apply the fix distributed through Oracle's Critical Patch Update for June 2026, accessible at https://www.oracle.com/security-alerts/cspujun2026.html. An exact patched version number beyond 7.2.8 is not independently confirmed from available intelligence - consult the Oracle advisory directly for the specific target upgrade version before deploying. As a compensating control where patching is immediately impractical, restrict logon and administrative access to the VirtualBox host to the absolute minimum required set of high-privileged users, reducing the attacker population that can satisfy the PR:H prerequisite. For headless or server VMs that do not require guest display output, consider reconfiguring the guest graphics adapter away from VMSVGA (e.g., to VBoxVGA), which removes the vulnerable component from the attack surface; note this disables 3D acceleration and may limit guest display resolution. In multi-tenant environments, audit which users hold high-privileged access to VirtualBox infrastructure and treat such accounts as high-value targets requiring additional monitoring.
More in Oracle Vm Virtualbox
View allPrivileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high
Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a hig
Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privilege
Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly priv
Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a h
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileg
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local at
Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authentic
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged a
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37369