CVE-2026-21955
Published: 20 January 2026
Summary
CVE-2026-21955 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely identification, reporting, and remediation of flaws like CVE-2026-21955 through patching as specified in Oracle's Critical Patch Update.
Enforces least privilege on the host infrastructure, limiting the capabilities of high-privileged (PR:H) attackers required to exploit CVE-2026-21955 in VirtualBox core.
Provides continuous monitoring of the system hosting VirtualBox to identify indicators of exploitation such as anomalous behavior during VirtualBox takeover and scope change impacts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local high-privileged exploitation of VirtualBox core vulnerability directly enables privilege escalation to full product/host takeover (CWE-400 with scope change).
NVD Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise…
more
Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-21955 is a vulnerability in the Core component of the Oracle VM VirtualBox product within Oracle Virtualization. The supported versions affected are 7.1.14 and 7.2.4. It is classified under CWE-400 and carries a CVSS 3.1 Base Score of 8.2, with the vector (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high impacts to confidentiality, integrity, and availability.
The vulnerability is easily exploitable by a high privileged attacker who has logon access to the infrastructure where Oracle VM VirtualBox executes. Successful exploitation allows the attacker to compromise Oracle VM VirtualBox, resulting in a full takeover of the product. While the flaw resides in VirtualBox, attacks can significantly impact additional products due to a change in scope.
Oracle's Critical Patch Update for January 2026 addresses this vulnerability, with details available in their security alert at https://www.oracle.com/security-alerts/cpujan2026.html.
Details
- CWE(s)