Cyber Resilience

CVE-2026-21984

HighLPE

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0004 11.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21984 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Hypervisor (T1062); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21984 is a vulnerability in the Core component of Oracle VM VirtualBox, a product within Oracle Virtualization. The supported versions affected are 7.1.14 and 7.2.4. Classified under CWE-284 (Improper Access Control), it carries a CVSS 3.1 base score of 7.5 with the vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impacts to confidentiality, integrity, and availability.

The vulnerability is difficult to exploit and requires a high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes. Successful exploitation allows the attacker to compromise Oracle VM VirtualBox, resulting in a full takeover of the product. Although the flaw resides in VirtualBox, exploitation enables a scope change that may significantly impact additional products.

Oracle's Critical Patch Update advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2026.html. Security practitioners should consult this reference for patches and recommended actions applicable to the affected versions.

EU & UK References

Vulnerability details

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to…

more

compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1062 Hypervisor Persistence
**This technique has been deprecated and should no longer be used.
Why these techniques?

Improper access control in VirtualBox core directly enables hypervisor compromise/takeover from a privileged host context, mapping to T1062.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35230Same product: Oracle Vm Virtualbox
CVE-2026-35242Same product: Oracle Vm Virtualbox
CVE-2026-35251Same product: Oracle Vm Virtualbox
CVE-2026-35245Same product: Oracle Vm Virtualbox
CVE-2026-35246Same product: Oracle Vm Virtualbox
CVE-2026-21982Same product: Oracle Vm Virtualbox
CVE-2026-21956Same product: Oracle Vm Virtualbox
CVE-2026-21988Same product: Oracle Vm Virtualbox
CVE-2026-21990Same product: Oracle Vm Virtualbox
CVE-2025-21571Same product: Oracle Vm Virtualbox

Affected Assets

oracle
vm virtualbox
7.1.14, 7.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific improper access control vulnerability in Oracle VM VirtualBox core by requiring timely application of vendor patches for affected versions 7.1.14 and 7.2.4.

prevent

Enforces system-wide access control policies and mechanisms to prevent high-privileged local attackers from exploiting the CWE-284 improper access control flaw in VirtualBox.

prevent

Limits privileges of accounts and processes on the host infrastructure, reducing the attack surface for high-privileged (PR:H) exploitation of the VirtualBox vulnerability.

References