Cyber Resilience

CVE-2026-21956

High

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0026 17.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21956 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-21956 is a vulnerability in the Core component of Oracle VM VirtualBox, a product within Oracle Virtualization. The supported versions affected are 7.1.14 and 7.2.4. Published on 2026-01-20, it is classified under CWE-400 and carries a CVSS 3.1 base score of 8.2, with the vector (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high impacts to confidentiality, integrity, and availability.

A high privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes can exploit this easily exploitable vulnerability to compromise Oracle VM VirtualBox, potentially resulting in a full takeover of the product. The attack requires local access (AV:L) with low complexity (AC:L), high privileges (PR:H), and no user interaction (UI:N). Due to the changed scope (S:C), exploitation may significantly impact additional products beyond Oracle VM VirtualBox.

Mitigation details are provided in the Oracle security advisory at https://www.oracle.com/security-alerts/cpujan2026.html.

EU & UK References

Vulnerability details

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise…

more

Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local high-privileged access to the VirtualBox host enables exploitation for privilege escalation to full product takeover (CWE-400 resource issue with scope change).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21955Same product: Oracle Vm Virtualbox
CVE-2026-21983Same product: Oracle Vm Virtualbox
CVE-2026-21988Same product: Oracle Vm Virtualbox
CVE-2026-21990Same product: Oracle Vm Virtualbox
CVE-2026-21987Same product: Oracle Vm Virtualbox
CVE-2026-35251Same product: Oracle Vm Virtualbox
CVE-2025-21571Same product: Oracle Vm Virtualbox
CVE-2026-35246Same product: Oracle Vm Virtualbox
CVE-2026-35242Same product: Oracle Vm Virtualbox
CVE-2026-21957Same product: Oracle Vm Virtualbox

Affected Assets

oracle
vm virtualbox
7.1.14, 7.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation and patching of known flaws like CVE-2026-21956 in Oracle VM VirtualBox core to prevent high-impact exploitation.

prevent

Enforces least privilege on the host infrastructure, countering the PR:H requirement for local high-privileged attackers to exploit the VirtualBox vulnerability.

detect

Enables automated vulnerability scanning to identify affected Oracle VM VirtualBox versions (7.1.14, 7.2.4) prior to exploitation.

References