Skip to main content

Oracle VM VirtualBox CVE-2026-46974

| EUVDEUVD-2026-37284 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Local host access with high admin privileges and non-trivial conditions, no user interaction, and hypervisor scope change yielding full CIA impact on guests/adjacent products.

3.1 AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:45 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain privileged logon to VirtualBox host
Delivery
Interact with Core component via VM/device operations
Exploit
Trigger high-complexity flaw in hypervisor core
Execution
Achieve VirtualBox takeover with scope change
Impact
Pivot impact into guests or adjacent Oracle products

Vulnerability AssessmentAI

Exploitation Attacker must have an interactive local logon to the host OS running Oracle VM VirtualBox 7.2.8 and already hold high privileges on that host (administrator/root or equivalent VirtualBox service rights), per CVSS AV:L/PR:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-to-moderate: CVSS 3.1 base is 7.5 but the vector (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) shows real-world exploitation is gated by local access, high attacker privileges, and high complexity - meaning an attacker must already have a privileged foothold on the VirtualBox host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised administrator logged onto a VirtualBox 7.2.8 host triggers the Core-component flaw through carefully crafted VM or device-emulation operations, despite the high attack complexity. Because of the scope change, the takeover of VirtualBox extends impact to co-resident guests or integrated Oracle products, turning a host-admin foothold into hypervisor-level control. …
Remediation Apply the fixes shipped in Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html; an exact post-7.2.8 fix version is not enumerated in the provided data, so consult the CPU matrix for the precise build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running VirtualBox 7.2.8 and document VM trust boundaries and connected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy