{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35246", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-04-01T20:03:40.833Z", "datePublished": "2026-04-21T20:35:51.676Z", "dateUpdated": "2026-04-21T20:35:51.676Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:51.676Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle VM VirtualBox", "versions": [{"version": "7.2.6", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.2.6:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)."}], "id": "CVE-2026-35246", "lastModified": "2026-04-21T21:16:40.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 6.0, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:40.677", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.2.6"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Oracle VM VirtualBox", "source": "cna", "vendor": "Oracle Corporation"}, "product": "vm_virtualbox", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T06:27:06.541041+00:00", "value": {"mitigation_remediation": ["Apply an Oracle\u2011issued patch that addresses the core component flaw in VirtualBox\u00a07.2.6", "Restrict local privileged accounts that run VirtualBox, ensuring only necessary access rights are granted", "Implement monitoring of VirtualBox configuration files and process integrity to detect unauthorized changes"], "summary": {"action": "Patch Now", "impact": "High privilege escalation leading to takeover of Oracle VM VirtualBox"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Oracle VM VirtualBox version\u202f7.2.6, as identified by the CPE cpe:2.3:a:oracle:vm_virtualbox:7.2.6:*:*:*:*:*:*:*", "description_and_impact": "The vulnerability exists in the core component of Oracle VM VirtualBox version\u202f7.2.6 and allows a user who is already logged in with high privileges to compromise the VirtualBox instance. The flaw affects confidentiality, integrity, and availability of the virtual environment and, due to the scope-change flag, could also impact other products that rely on VirtualBox. The CVSS base score is 7.5 with a local attacker (AV:L) and high privilege (PR:H), with no user interaction required.", "risk_and_exploitability": "The CVSS score indicates high severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, suggesting that no active exploitation has been documented. The local attack vector requires the attacker to have high\u2011privilege access on the host, meaning an insider or compromised account could exploit the weakness. Because the scope changes to other products, this risk could propagate beyond the VM itself, but the exploitation does not involve external network reachability."}}}}, "created": "2026-04-22T06:30:10.676208+00:00", "title": "Oracle VM VirtualBox Core Access Control Vulnerability", "updated": "2026-04-22T08:15:05.532335+00:00", "vendors": ["oracle", "oracle$PRODUCT$vm_virtualbox"], "weaknesses": ["CWE-284"]}