Skip to main content

Oracle VM VirtualBox EUVDEUVD-2026-37284

| CVE-2026-46974 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Local host access with high admin privileges and non-trivial conditions, no user interaction, and hypervisor scope change yielding full CIA impact on guests/adjacent products.

3.1 AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:45 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

Oracle VM VirtualBox is a type-2 hypervisor whose Core component manages virtual machine execution, device emulation, and host/guest interaction on the underlying OS. The flaw resides in this Core component on VirtualBox 7.2.8 (CPE cpe:2.3:a:oracle_corporation:oracle_vm_virtualbox:*) and produces a scope change (S:C in CVSS), characteristic of hypervisor-class bugs where logic in the host-side VMM can affect guest VMs or other co-resident security domains. No CWE was assigned by Oracle, but the scope-change plus full CIA impact pattern is consistent with VM-escape or privilege-confusion classes typical of past VirtualBox Core advisories.

RemediationAI

Apply the fixes shipped in Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html; an exact post-7.2.8 fix version is not enumerated in the provided data, so consult the CPU matrix for the precise build. In the interim, restrict who holds administrative or VirtualBox-service privileges on hosts running 7.2.8, since exploitation requires PR:H local logon - remove standing admin rights from operators, gate access through just-in-time elevation, and avoid running untrusted workloads or multi-tenant VMs on the same host (trade-off: reduced operational flexibility for shared lab hosts). Where feasible, isolate VirtualBox hosts from sensitive networks until patched so a scope-changed compromise cannot pivot into adjacent production systems.

Share

EUVD-2026-37284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy