How is CVE-2026-35275 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the service is required. Authentication (required): Any low-privilege local account on the host is sufficient; no administrative credentials are needed. Victim interaction (not-required): No user interaction is required; the attacker can act entirely on their own. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must meet specific environmental conditions or timing constraints beyond their direct control.

What is the impact of CVE-2026-35275?

Reads all data accessible to Oracle VM VirtualBox, including files in shared folders exposed to guest virtual machines. Modifies or deletes critical data inside the VirtualBox environment, including shared folder contents and configuration. The scope change means impact extends beyond VirtualBox itself, so other products or isolation boundaries co-located on the same host can be affected.

Back to search

HIGHCVE-2026-35275Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-35275: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Shared Folders)

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Shared Folders). The supported version that is affected is 7.2.8. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N).

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege-escalation or data-access vulnerability in the Shared Folders component of Oracle VM VirtualBox 7.2.8. An attacker must already have a low-privileged local account on the host where VirtualBox runs, and exploitation is difficult due to environmental conditions that must be met. Successful exploitation gives the attacker full read and write access to critical data inside the VirtualBox environment, with scope extending beyond the hypervisor itself to other products or tenants on the same host. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection for CVE-2026-35275 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from base layers that ship VirtualBox components. Any image carrying the affected 7.2.8 binary surfaces immediately in the findings dashboard.

Available

Triage

Triage is available with the CVSS 3.1 base score of 7.5 (HIGH), and each finding is weighted further by the customer's configured compliance policy before being routed to the appropriate team inbox inside that organization.

Available

Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, that rebuild will trigger a regression run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
AuthenticationRequired
Any low-privilege local account on the host is sufficient; no administrative credentials are needed.
Victim interactionNot required
No user interaction is required; the attacker can act entirely on their own.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must meet specific environmental conditions or timing constraints beyond their direct control.

Blast Radius

Reads all data accessible to Oracle VM VirtualBox, including files in shared folders exposed to guest virtual machines.
Modifies or deletes critical data inside the VirtualBox environment, including shared folder contents and configuration.
The scope change means impact extends beyond VirtualBox itself, so other products or isolation boundaries co-located on the same host can be affected.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for this CVE, HarborGuard monitors the advisory on every ingest cycle and flags all images carrying VirtualBox 7.2.8 as affected until a patched version is released. In the interim, customers can apply compensating controls such as restricting Shared Folder access via network policy isolation, limiting which host accounts can execute VirtualBox processes, and using egress filtering to contain any lateral movement if a guest is compromised. For customers with auto-remediation enabled, a patched rebuild and regression run will be triggered automatically the moment Oracle publishes a fix, with a PR opened against affected workloads for review.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle VM VirtualBox
7.2.8

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

References

Oracle Advisory

Metrics

Get notified