Cyber Resilience

CVE-2008-3431

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 August 2008

Published
05 August 2008
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0544 90.4th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2008-3431 is a high-severity an unspecified weakness vulnerability in Oracle Virtualbox. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a local privilege escalation flaw in the VBoxDrvNtDeviceControl function within VBoxDrv.sys, part of Sun xVM VirtualBox prior to version 1.6.4. It stems from the driver's use of the METHOD_NEITHER IOCTL communication method combined with insufficient validation of a buffer tied to the IRP object, allowing an attacker to supply an arbitrary kernel address.

Local users with the ability to open the \\.\VBoxDrv device can exploit the issue by invoking DeviceIoControl with a crafted request. Successful exploitation grants elevated privileges on the host system, corresponding to a CVSS 3.1 score of 8.8 under an AV:L/AC:L/PR:L/UI:N/S:C vector.

Public references including Secunia advisory 31361, SunSolve document 240095-1, the VirtualBox changelog, and SecurityTracker entry 1020625 point to the availability of a patched release in version 1.6.4 that addresses the driver flaw.

No information on observed in-the-wild exploitation is supplied in the source data.

EU & UK References

Vulnerability details

The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the…

more

\\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
virtualbox
≤ 1.6.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References