CVE-2026-21956
Published: 20 January 2026
Summary
CVE-2026-21956 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation and patching of known flaws like CVE-2026-21956 in Oracle VM VirtualBox core to prevent high-impact exploitation.
Enforces least privilege on the host infrastructure, countering the PR:H requirement for local high-privileged attackers to exploit the VirtualBox vulnerability.
Enables automated vulnerability scanning to identify affected Oracle VM VirtualBox versions (7.1.14, 7.2.4) prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local high-privileged access to the VirtualBox host enables exploitation for privilege escalation to full product takeover (CWE-400 resource issue with scope change).
NVD Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise…
more
Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-21956 is a vulnerability in the Core component of Oracle VM VirtualBox, a product within Oracle Virtualization. The supported versions affected are 7.1.14 and 7.2.4. Published on 2026-01-20, it is classified under CWE-400 and carries a CVSS 3.1 base score of 8.2, with the vector (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high impacts to confidentiality, integrity, and availability.
A high privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes can exploit this easily exploitable vulnerability to compromise Oracle VM VirtualBox, potentially resulting in a full takeover of the product. The attack requires local access (AV:L) with low complexity (AC:L), high privileges (PR:H), and no user interaction (UI:N). Due to the changed scope (S:C), exploitation may significantly impact additional products beyond Oracle VM VirtualBox.
Mitigation details are provided in the Oracle security advisory at https://www.oracle.com/security-alerts/cpujan2026.html.
Details
- CWE(s)