Cyber Resilience

CVE-2026-21982

High

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21982 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-4 (Access Control for Transmission) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-21982 is a vulnerability in the Core component of Oracle VM VirtualBox, which is part of Oracle Virtualization. The supported versions affected by this issue are 7.1.14 and 7.2.4. It is classified under CWE-284 (Improper Access Control) and carries a CVSS 3.1 base score of 7.5, reflecting high impacts to confidentiality, integrity, and availability.

The vulnerability is difficult to exploit and enables an unauthenticated attacker with access to the physical communication segment attached to the hardware where Oracle VM VirtualBox executes to compromise the product. Successful attacks can result in a full takeover of Oracle VM VirtualBox. The CVSS vector is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating adjacent network access, high attack complexity, no privileges or user interaction required, and unchanged scope.

Mitigation details are provided in the Oracle security advisory at https://www.oracle.com/security-alerts/cpujan2026.html.

EU & UK References

Vulnerability details

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where…

more

the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE enables adjacent-network exploitation of VirtualBox for full host/process takeover via improper access control, directly mapping to remote service exploitation and privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35242Same product: Oracle Vm Virtualbox
CVE-2026-35251Same product: Oracle Vm Virtualbox
CVE-2026-35246Same product: Oracle Vm Virtualbox
CVE-2026-35230Same product: Oracle Vm Virtualbox
CVE-2026-35245Same product: Oracle Vm Virtualbox
CVE-2026-21984Same product: Oracle Vm Virtualbox
CVE-2026-21956Same product: Oracle Vm Virtualbox
CVE-2026-21988Same product: Oracle Vm Virtualbox
CVE-2026-21990Same product: Oracle Vm Virtualbox
CVE-2025-21571Same product: Oracle Vm Virtualbox

Affected Assets

oracle
vm virtualbox
7.1.14, 7.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in Oracle VM VirtualBox Core (CVE-2026-21982) through timely identification, reporting, and correction of vulnerabilities.

prevent

Prevents unauthenticated attackers from accessing the physical communication segment attached to the VirtualBox host hardware, which is required for exploitation (AV:A).

prevent

Monitors and controls communications at system boundaries to block unauthorized adjacent network traffic that could exploit the VirtualBox Core vulnerability.

References