Skip to main content

Oracle VM VirtualBox EUVDEUVD-2026-37369

| CVE-2026-46877 MEDIUM
Improper Privilege Management (CWE-269)
2026-06-16 oracle
6.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.0 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.0 MEDIUM

Local-only attack via VMSVGA device interaction requires high-privilege access; scope change reflects host boundary crossing with confidentiality-only impact.

3.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:22 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: VMSVGA device). The supported version that is affected is 7.2.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

AnalysisAI

The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.

Technical ContextAI

The VMSVGA (VMware SVGA II) is a virtual graphics adapter emulated by Oracle VM VirtualBox to provide enhanced guest display capabilities including higher resolutions and 3D acceleration. As a device emulation component executing in the hypervisor layer (the VirtualBox process on the host), flaws in VMSVGA command or memory processing can allow a privileged guest-side caller to trigger reads outside the guest's permitted memory bounds, crossing the hypervisor isolation boundary. The confirmed affected product is cpe:2.3:a:oracle_corporation:oracle_vm_virtualbox:*:*:*:*:*:*:*:* at version 7.2.8, as reported by Oracle and corroborated by ENISA EUVD-2026-37369. The CWE is listed as N/A by Oracle, leaving the root cause class formally unclassified; given the confidentiality-only impact and scope change, the mechanism is consistent with an out-of-bounds read or memory disclosure in device emulation code, though this is inferred rather than confirmed. The 'Authentication Bypass' tag present in the intelligence metadata is potentially misleading and conflicts with the PR:H CVSS metric - it may refer to bypassing VM memory isolation rather than traditional credential-based authentication, but this is unresolved from available data.

RemediationAI

Apply the fix distributed through Oracle's Critical Patch Update for June 2026, accessible at https://www.oracle.com/security-alerts/cspujun2026.html. An exact patched version number beyond 7.2.8 is not independently confirmed from available intelligence - consult the Oracle advisory directly for the specific target upgrade version before deploying. As a compensating control where patching is immediately impractical, restrict logon and administrative access to the VirtualBox host to the absolute minimum required set of high-privileged users, reducing the attacker population that can satisfy the PR:H prerequisite. For headless or server VMs that do not require guest display output, consider reconfiguring the guest graphics adapter away from VMSVGA (e.g., to VBoxVGA), which removes the vulnerable component from the attack surface; note this disables 3D acceleration and may limit guest display resolution. In multi-tenant environments, audit which users hold high-privileged access to VirtualBox infrastructure and treat such accounts as high-value targets requiring additional monitoring.

Share

EUVD-2026-37369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy