Skip to main content

Oracle Vm Virtualbox

10 CVEs product

Monthly

CVE-2026-46977 LOW Monitor

Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authenticated, highly privileged attacker, resulting in a scope-change impact that may expose a subset of confidential data from resources beyond the guest VM boundary, potentially the host layer. Oracle's June 2026 Critical Patch Update describes the flaw as easily exploitable once the high-privilege prerequisite is met, though the constrained attack surface limits realistic exposure to administrative accounts with existing local host access. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; the low CVSS base score of 3.2 reflects the narrow confidentiality-only impact and strict access requirements.

Oracle Oracle Vm Virtualbox Information Disclosure
NVD VulDB
CVSS 3.1
3.2
EPSS
0.1%
CVE-2026-46974 HIGH This Week

Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Oracle Vm Virtualbox Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46877 MEDIUM This Month

The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.

Authentication Bypass Oracle Oracle Vm Virtualbox Privilege Escalation
NVD VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-46874 LOW Monitor

Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.

Oracle Oracle Vm Virtualbox Information Disclosure
NVD VulDB
CVSS 3.1
3.2
EPSS
0.1%
CVE-2026-46873 HIGH This Week

Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Oracle Vm Virtualbox Privilege Escalation
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46825 MEDIUM This Month

Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly privileged local attacker to make unauthorized modifications to critical data, with scope change indicating impact extends beyond the initially targeted VM instance. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) confirms local-only attack surface requiring high privileges, but the confirmed scope change elevates the potential blast radius to the host or adjacent VMs. No public exploit has been identified at time of analysis, and the vulnerability is patched under Oracle's Critical Security Update for June 2026.

Authentication Bypass Oracle Oracle Vm Virtualbox
NVD VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-46816 LOW Monitor

Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.

Oracle Oracle Vm Virtualbox Information Disclosure
NVD VulDB
CVSS 3.1
3.2
EPSS
0.2%
CVE-2026-46815 LOW Monitor

Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.

Oracle Oracle Vm Virtualbox Information Disclosure
NVD VulDB
CVSS 3.1
3.2
EPSS
0.2%
CVE-2026-46768 MEDIUM This Month

Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a highly privileged local attacker to cause a persistent hang or fully repeatable crash of the hypervisor process. The CVSS Scope:Changed metric signals that the DoS impact propagates beyond the attacker's own guest VM, potentially destabilizing the host process and all co-resident VMs - a meaningful concern in multi-tenant and VDI environments. No public exploit code exists and no CISA KEV listing is present at time of analysis; exploitation is bounded by the requirement for high-privileged local access to the infrastructure.

Oracle Oracle Vm Virtualbox Authentication Bypass
NVD VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-35275 HIGH This Week

Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.

Authentication Bypass Oracle Oracle Vm Virtualbox
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 3.2
LOW Monitor

Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authenticated, highly privileged attacker, resulting in a scope-change impact that may expose a subset of confidential data from resources beyond the guest VM boundary, potentially the host layer. Oracle's June 2026 Critical Patch Update describes the flaw as easily exploitable once the high-privilege prerequisite is met, though the constrained attack surface limits realistic exposure to administrative accounts with existing local host access. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; the low CVSS base score of 3.2 reflects the narrow confidentiality-only impact and strict access requirements.

Oracle Oracle Vm Virtualbox Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Oracle Vm Virtualbox Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.

Authentication Bypass Oracle Oracle Vm Virtualbox +1
NVD VulDB
EPSS 0% CVSS 3.2
LOW Monitor

Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.

Oracle Oracle Vm Virtualbox Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Oracle Vm Virtualbox Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly privileged local attacker to make unauthorized modifications to critical data, with scope change indicating impact extends beyond the initially targeted VM instance. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) confirms local-only attack surface requiring high privileges, but the confirmed scope change elevates the potential blast radius to the host or adjacent VMs. No public exploit has been identified at time of analysis, and the vulnerability is patched under Oracle's Critical Security Update for June 2026.

Authentication Bypass Oracle Oracle Vm Virtualbox
NVD VulDB
EPSS 0% CVSS 3.2
LOW Monitor

Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.

Oracle Oracle Vm Virtualbox Information Disclosure
NVD VulDB
EPSS 0% CVSS 3.2
LOW Monitor

Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.

Oracle Oracle Vm Virtualbox Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a highly privileged local attacker to cause a persistent hang or fully repeatable crash of the hypervisor process. The CVSS Scope:Changed metric signals that the DoS impact propagates beyond the attacker's own guest VM, potentially destabilizing the host process and all co-resident VMs - a meaningful concern in multi-tenant and VDI environments. No public exploit code exists and no CISA KEV listing is present at time of analysis; exploitation is bounded by the requirement for high-privileged local access to the infrastructure.

Oracle Oracle Vm Virtualbox Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.

Authentication Bypass Oracle Oracle Vm Virtualbox
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy