Skip to main content

Oracle VM VirtualBox CVE-2026-46977

| EUVDEUVD-2026-37286 LOW
Information Exposure (CWE-200)
2026-06-16 oracle
3.2
CVSS 3.1 · Vendor: oracle

Severity by source

Vendor (oracle) PRIMARY
3.2 LOW
AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
vuln.today AI
3.2 LOW

Local high-privilege access required for VMSVGA interaction; scope change to host yields S:C; read-only limited data exposure gives C:L with no integrity or availability impact.

3.1 AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:21 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).

AnalysisAI

Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authenticated, highly privileged attacker, resulting in a scope-change impact that may expose a subset of confidential data from resources beyond the guest VM boundary, potentially the host layer. Oracle's June 2026 Critical Patch Update describes the flaw as easily exploitable once the high-privilege prerequisite is met, though the constrained attack surface limits realistic exposure to administrative accounts with existing local host access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege local host credentials
Exploit
Access VMSVGA device emulation layer
Execution
Trigger unauthorized memory or data read
Impact
Exfiltrate scoped data beyond guest VM boundary

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have high-privilege local logon access to the physical or virtual host infrastructure where Oracle VM VirtualBox 7.2.8 is running - as defined by the CVSS vector's PR:H and AV:L metrics. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk of CVE-2026-46977 is low despite the scope-change flag. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A highly privileged local administrator or compromised high-privilege account on the VirtualBox 7.2.8 host interacts with the VMSVGA device component - for example, through a privileged guest process or direct host-level API call - and triggers the vulnerability to read a restricted subset of VirtualBox-accessible memory or data. Due to the scope change, the exposed data may originate from the host hypervisor layer rather than remaining isolated to the attacking guest's own memory space. …
Remediation The primary remediation is to apply Oracle's Critical Patch Update issued in June 2026, referenced at https://www.oracle.com/security-alerts/cspujun2026.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy