{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35248", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-04-01T20:03:40.834Z", "datePublished": "2026-04-21T20:35:52.538Z", "dateUpdated": "2026-04-21T20:35:52.538Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:52.538Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle VM VirtualBox", "versions": [{"version": "7.2.6", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.2.6:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L", "baseScore": 5, "baseSeverity": "MEDIUM"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L)."}], "id": "CVE-2026-35248", "lastModified": "2026-04-21T21:16:40.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.7, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:40.957", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.2.6"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Oracle VM VirtualBox", "source": "cna", "vendor": "Oracle Corporation"}, "product": "vm_virtualbox", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T04:42:37.336065+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of Oracle VM VirtualBox that is later than 7.2.6", "Limit the use of high\u2011privilege accounts that can control VirtualBox hosts to the minimum necessary set", "Enable logging and audit trails for VirtualBox operations and review logs for unexpected update, delete, or connectivity events"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access and Partial Denial"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Oracle VM VirtualBox, version 7.2.6. The affected component is the Core module of the VirtualBox application.", "description_and_impact": "The vulnerability in Oracle VM VirtualBox 7.2.6 permits a high\u2011privileged attacker who already has logon access to the host infrastructure to compromise the VirtualBox host itself. Exploitation allows the attacker to perform unauthorized updates, inserts, or deletions on data the VirtualBox service manages, to read restricted data subsets, and to induce a partial denial of service. The impact spans confidentiality, integrity, and availability, and the scope change indicates that the security failure could propagate to other Oracle products that interact with VirtualBox.", "risk_and_exploitability": "The CVSS 3.1 base score of 5.0 denotes moderate severity, with low attacker\u2013required efforts (attack vector LOCAL, high privilege), no user interaction, and a scope change. EPSS is not available and the vulnerability is not listed in CISA KEV. An attacker must already be logged in with elevated privileges on the host; from that position the flaw can be exploited to obtain partial data access and to disrupt functionality of VirtualBox. Because the scope changes, additional Oracle products may also be impacted indirectly."}}}}, "created": "2026-04-22T02:45:05.723266+00:00", "title": "Privilege Escalation and Partial Denial in Oracle VM VirtualBox 7.2.6", "updated": "2026-04-22T04:45:09.353629+00:00", "vendors": ["oracle", "oracle$PRODUCT$vm_virtualbox"], "weaknesses": ["CWE-284", "CWE-264"]}