HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46974Published Modified CNA oracle

CVE-2026-46974: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.8. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A privilege escalation and full-compromise vulnerability exists in the Core component of Oracle VM VirtualBox 7.2.8. Exploitation requires an attacker who already holds a high-privileged (admin-level) account and local logon access to the host where VirtualBox runs, with additional environmental conditions making reliable exploitation difficult. Successful exploitation gives the attacker complete control over the VirtualBox instance, with impact that can extend beyond the hypervisor to affect other products running on the same infrastructure. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from Oracle and NVD feeds within minutes of publication and matched against customer images, including custom-built images that bundle VirtualBox 7.2.8 components. Any image in a connected registry or CI pipeline that carries the affected version surfaces immediately in the findings queue.

Available
Triage

HarborGuard scores this finding at CVSS 7.5 HIGH and can weight it further against each customer organization's compliance policy, for example elevating priority when the affected image runs in a production or regulated environment. Findings are routed to the team inbox or ticketing integration configured for the affected workload.

Available
Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the Oracle and NVD advisory feeds on every ingest cycle; the moment Oracle publishes a patched release, a rebuilt image at the fix version becomes available, and customers with auto-remediation enabled will have a regression-test run triggered and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-exposed attack surface is required.

  • AuthenticationRequired

    A high-privileged (administrator-level) account on the infrastructure host is required before the attack can proceed.

  • Victim interactionNot required

    No victim interaction is needed; the attacker proceeds without involving another user.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must meet specific environmental conditions or timing constraints beyond simply having credentials and access.

Blast Radius

  • A successful attacker gains full read access to all data inside the VirtualBox instance, including guest VM memory, virtual disk contents, and configuration secrets.
  • The attacker can modify or corrupt VirtualBox state, guest filesystems, or persisted virtual machine configurations.
  • The attacker can crash or hang VirtualBox and any guest VMs it is running, causing a full service outage for hosted workloads.
  • Because the CVSS vector marks a scope change, compromise can spill beyond VirtualBox itself and affect other products or processes sharing the same host infrastructure.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists, the platform monitors the Oracle and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available the moment Oracle publishes a fix. In the interim, customers can apply compensating controls surfaced through HarborGuard policy rules: network-policy isolation to restrict which principals can log on to hosts running VirtualBox, enforcement of least-privilege access to prevent unnecessary admin account proliferation, and flagging any image carrying VirtualBox 7.2.8 as blocked from promotion to production until the advisory is resolved. For customers with auto-remediation enabled, once a fix version is published the rebuild, regression-test run, and PR against affected workloads will be initiated automatically, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle VM VirtualBox
    7.2.8
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
References