CVE-2026-21984
Published: 20 January 2026
Summary
CVE-2026-21984 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Hypervisor (T1062); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21984 is a vulnerability in the Core component of Oracle VM VirtualBox, a product within Oracle Virtualization. The supported versions affected are 7.1.14 and 7.2.4. Classified under CWE-284 (Improper Access Control), it carries a CVSS 3.1 base score of 7.5 with the vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impacts to confidentiality, integrity, and availability.
The vulnerability is difficult to exploit and requires a high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes. Successful exploitation allows the attacker to compromise Oracle VM VirtualBox, resulting in a full takeover of the product. Although the flaw resides in VirtualBox, exploitation enables a scope change that may significantly impact additional products.
Oracle's Critical Patch Update advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2026.html. Security practitioners should consult this reference for patches and recommended actions applicable to the affected versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3528
Vulnerability details
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to…
more
compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in VirtualBox core directly enables hypervisor compromise/takeover from a privileged host context, mapping to T1062.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific improper access control vulnerability in Oracle VM VirtualBox core by requiring timely application of vendor patches for affected versions 7.1.14 and 7.2.4.
Enforces system-wide access control policies and mechanisms to prevent high-privileged local attackers from exploiting the CWE-284 improper access control flaw in VirtualBox.
Limits privileges of accounts and processes on the host infrastructure, reducing the attack surface for high-privileged (PR:H) exploitation of the VirtualBox vulnerability.