Skip to main content

Oracle VM VirtualBox EUVDEUVD-2026-37332

| CVE-2026-46815 LOW
Information Exposure (CWE-200)
2026-06-16 oracle
3.2
CVSS 3.1 · Vendor: oracle

Severity by source

Vendor (oracle) PRIMARY
3.2 LOW
AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
vuln.today AI
3.2 LOW

Local-only vector, high privileges required to access VMSVGA device; scope change justified by cross-VM data read; confidentiality impact only.

3.1 AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:25 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).

AnalysisAI

Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.

Technical ContextAI

The VMSVGA device is VirtualBox's emulation of the VMware SVGA II virtual graphics adapter, responsible for guest-to-host display communication and memory-mapped I/O. A flaw in this emulation layer allows privileged access to memory or data regions accessible by the VirtualBox process. The CVSS scope-change flag (S:C) indicates that the exploitable component and the impacted component reside in different security domains - meaning a guest-level or host-level privileged actor could potentially read data belonging to a distinct security context (e.g., another guest VM's accessible data or host memory). CWE is listed as N/A in the source data, leaving root cause class unconfirmed; however, the 'Authentication Bypass' tag in the intelligence feed is inconsistent with the PR:H CVSS metric (which requires high privileges, the opposite of a bypass). The CPE string (cpe:2.3:a:oracle_corporation:oracle_vm_virtualbox:*:*:*:*:*:*:*:*) uses a wildcard version field, with the specific affected version confirmed as 7.2.8 by both the Oracle advisory and EUVD-2026-37332.

RemediationAI

Consult Oracle's June 2026 Critical Patch Update at https://www.oracle.com/security-alerts/cspujun2026.html for the patched release; the advisory is the authoritative source for the exact fix version, which is not independently specified in the available intelligence data. Patch available per vendor advisory - but released patched version not independently confirmed in available data. As a compensating control, administrators can configure affected VMs to use an alternative virtual graphics adapter (e.g., VBoxVGA or VBoxSVGA in non-VMSVGA mode) to eliminate exposure of the vulnerable VMSVGA code path; note this may impact guest display performance and 3D acceleration features. Access to the VirtualBox host infrastructure should be restricted to the minimum required privileged accounts, reducing the pool of principals capable of triggering this flaw. Given the low CVSS severity and high privilege prerequisite, organizations may defer patching until the next maintenance window under most risk frameworks.

Share

EUVD-2026-37332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy