Oracle Vm Virtualbox
Monthly
Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authenticated, highly privileged attacker, resulting in a scope-change impact that may expose a subset of confidential data from resources beyond the guest VM boundary, potentially the host layer. Oracle's June 2026 Critical Patch Update describes the flaw as easily exploitable once the high-privilege prerequisite is met, though the constrained attack surface limits realistic exposure to administrative accounts with existing local host access. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; the low CVSS base score of 3.2 reflects the narrow confidentiality-only impact and strict access requirements.
Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.
The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.
Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly privileged local attacker to make unauthorized modifications to critical data, with scope change indicating impact extends beyond the initially targeted VM instance. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) confirms local-only attack surface requiring high privileges, but the confirmed scope change elevates the potential blast radius to the host or adjacent VMs. No public exploit has been identified at time of analysis, and the vulnerability is patched under Oracle's Critical Security Update for June 2026.
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.
Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a highly privileged local attacker to cause a persistent hang or fully repeatable crash of the hypervisor process. The CVSS Scope:Changed metric signals that the DoS impact propagates beyond the attacker's own guest VM, potentially destabilizing the host process and all co-resident VMs - a meaningful concern in multi-tenant and VDI environments. No public exploit code exists and no CISA KEV listing is present at time of analysis; exploitation is bounded by the requirement for high-privileged local access to the infrastructure.
Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.
Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authenticated, highly privileged attacker, resulting in a scope-change impact that may expose a subset of confidential data from resources beyond the guest VM boundary, potentially the host layer. Oracle's June 2026 Critical Patch Update describes the flaw as easily exploitable once the high-privilege prerequisite is met, though the constrained attack surface limits realistic exposure to administrative accounts with existing local host access. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; the low CVSS base score of 3.2 reflects the narrow confidentiality-only impact and strict access requirements.
Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.
The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.
Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly privileged local attacker to make unauthorized modifications to critical data, with scope change indicating impact extends beyond the initially targeted VM instance. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) confirms local-only attack surface requiring high privileges, but the confirmed scope change elevates the potential blast radius to the host or adjacent VMs. No public exploit has been identified at time of analysis, and the vulnerability is patched under Oracle's Critical Security Update for June 2026.
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.
Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a highly privileged local attacker to cause a persistent hang or fully repeatable crash of the hypervisor process. The CVSS Scope:Changed metric signals that the DoS impact propagates beyond the attacker's own guest VM, potentially destabilizing the host process and all co-resident VMs - a meaningful concern in multi-tenant and VDI environments. No public exploit code exists and no CISA KEV listing is present at time of analysis; exploitation is bounded by the requirement for high-privileged local access to the infrastructure.
Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.