CVE-2026-35248
Received Received - Intake
Privilege Escalation in Oracle VM VirtualBox 7.2.6 Core Component

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: Oracle

Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-35248
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oracle vm_virtualbox 7.2.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Oracle VM VirtualBox product, specifically in version 7.2.6. It is a difficult to exploit flaw that allows a highly privileged attacker who already has logon access to the infrastructure running Oracle VM VirtualBox to compromise the product.

Successful exploitation can lead to unauthorized update, insertion, or deletion of some data accessible by Oracle VM VirtualBox, unauthorized reading of some data, and the ability to cause a partial denial of service (partial DOS) affecting Oracle VM VirtualBox.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker with high privileges to modify, delete, or insert data within Oracle VM VirtualBox, read sensitive data without authorization, and cause a partial denial of service, potentially disrupting services.

Because the scope of the attack may extend beyond Oracle VM VirtualBox itself, other products relying on it could also be significantly impacted.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a high privileged attacker with logon access to compromise Oracle VM VirtualBox, potentially leading to unauthorized read, update, insert, or delete access to data accessible by Oracle VM VirtualBox, as well as partial denial of service.

Such unauthorized access and data manipulation could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding the confidentiality, integrity, and availability of sensitive data.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart