{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35245", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-04-01T20:03:40.833Z", "datePublished": "2026-04-21T20:35:51.281Z", "dateUpdated": "2026-04-21T20:35:51.281Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:51.281Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle VM VirtualBox", "versions": [{"version": "7.2.6", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.2.6:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}], "id": "CVE-2026-35245", "lastModified": "2026-04-21T21:16:40.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:40.537", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.2.6"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Oracle VM VirtualBox", "source": "cna", "vendor": "Oracle Corporation"}, "product": "vm_virtualbox", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T04:44:00.099757+00:00", "value": {"mitigation_remediation": ["Check Oracle\u2019s security portal for an available patch or update for VirtualBox 7.2.6 and apply it immediately.", "If a patch is not yet released, block or restrict RDP traffic to the VirtualBox host using firewall rules or network segmentation to limit exposure to unauthenticated users.", "Monitor the VirtualBox host for abnormal crashes or hangs and investigate any anomalous RDP activity to detect ongoing exploitation attempts."], "summary": {"action": "Patch Now", "impact": "Denial of Service via RDP"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Oracle VM VirtualBox version 7.2.6.", "description_and_impact": "The Oracle VM VirtualBox 7.2.6 contains a flaw in the core component that allows an unauthenticated user with network access via Remote Desktop Protocol to trigger a hang or crash, resulting in a denial of service. The flaw stems from improper handling of RDP input, leading to a controllable failure in the virtual machine host. Attackers can repeatedly exploit this weakness to disrupt the availability of the virtualization environment.", "risk_and_exploitability": "The vulnerability has a CVSS 3.1 Base Score of 7.5, indicating a high impact on availability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated network connection via RDP, requiring no elevated privileges. While the exploitability at present appears moderate, the possibility of an easily triggered remote denial of service makes it a significant risk for environments that deploy this version of VirtualBox."}}}}, "created": "2026-04-22T04:00:07.656474+00:00", "title": "Remote Desktop\u2013Triggered Denial of Service in Oracle VM VirtualBox 7.2.6", "updated": "2026-04-22T04:45:09.354557+00:00", "vendors": ["oracle", "oracle$PRODUCT$vm_virtualbox"], "weaknesses": ["CWE-400"]}