Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Local-only vector, high privileges required to access VMSVGA device; scope change justified by cross-VM data read; confidentiality impact only.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).
AnalysisAI
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.
Technical ContextAI
The VMSVGA device is VirtualBox's emulation of the VMware SVGA II virtual graphics adapter, responsible for guest-to-host display communication and memory-mapped I/O. A flaw in this emulation layer allows privileged access to memory or data regions accessible by the VirtualBox process. The CVSS scope-change flag (S:C) indicates that the exploitable component and the impacted component reside in different security domains - meaning a guest-level or host-level privileged actor could potentially read data belonging to a distinct security context (e.g., another guest VM's accessible data or host memory). CWE is listed as N/A in the source data, leaving root cause class unconfirmed; however, the 'Authentication Bypass' tag in the intelligence feed is inconsistent with the PR:H CVSS metric (which requires high privileges, the opposite of a bypass). The CPE string (cpe:2.3:a:oracle_corporation:oracle_vm_virtualbox:*:*:*:*:*:*:*:*) uses a wildcard version field, with the specific affected version confirmed as 7.2.8 by both the Oracle advisory and EUVD-2026-37332.
RemediationAI
Consult Oracle's June 2026 Critical Patch Update at https://www.oracle.com/security-alerts/cspujun2026.html for the patched release; the advisory is the authoritative source for the exact fix version, which is not independently specified in the available intelligence data. Patch available per vendor advisory - but released patched version not independently confirmed in available data. As a compensating control, administrators can configure affected VMs to use an alternative virtual graphics adapter (e.g., VBoxVGA or VBoxSVGA in non-VMSVGA mode) to eliminate exposure of the vulnerable VMSVGA code path; note this may impact guest display performance and 3D acceleration features. Access to the VirtualBox host infrastructure should be restricted to the minimum required privileged accounts, reducing the pool of principals capable of triggering this flaw. Given the low CVSS severity and high privilege prerequisite, organizations may defer patching until the next maintenance window under most risk frameworks.
More in Oracle Vm Virtualbox
View allPrivileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high
Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a hig
Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privilege
The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the gu
Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly priv
Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a h
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileg
Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authentic
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged a
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37332