Cyber Resilience

CVE-2026-21986

High

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0001 0.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21986 is a high-severity an unspecified weakness vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-21986 is a vulnerability in the Core component of Oracle VM VirtualBox, which is part of Oracle Virtualization. The supported versions affected are 7.1.14 and 7.2.4. This easily exploitable vulnerability enables an unauthenticated attacker to compromise Oracle VM VirtualBox, resulting in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS). The issue is specific to Windows VMs only, with a CVSS 3.1 base score of 7.1 focused on availability impacts (vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

An unauthenticated attacker who has logon access to the infrastructure where Oracle VM VirtualBox executes can exploit this vulnerability. While the flaw resides in VirtualBox, exploitation may significantly impact additional products due to a scope change. Successful attacks achieve a complete DoS on VirtualBox through hangs or repeatable crashes, without affecting confidentiality or integrity.

The Oracle Critical Patch Update advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2026.html. Security practitioners should consult this reference for patches and recommended actions applicable to the affected versions.

EU & UK References

Vulnerability details

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle…

more

VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local exploitation of VirtualBox core leads directly to application/system crash for DoS (availability impact only).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35245Same product: Oracle Vm Virtualbox
CVE-2026-21955Same product: Oracle Vm Virtualbox
CVE-2026-21989Same product: Oracle Vm Virtualbox
CVE-2026-21984Same product: Oracle Vm Virtualbox
CVE-2026-21957Same product: Oracle Vm Virtualbox
CVE-2026-21956Same product: Oracle Vm Virtualbox
CVE-2026-35251Same product: Oracle Vm Virtualbox
CVE-2026-21987Same product: Oracle Vm Virtualbox
CVE-2026-35230Same product: Oracle Vm Virtualbox
CVE-2026-21983Same product: Oracle Vm Virtualbox

Affected Assets

oracle
vm virtualbox
7.1.14, 7.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Oracle Critical Patch Update to eliminate the VirtualBox Core flaw before local exploitation can occur.

prevent

Enforces access-control policy on the host so that only authorized subjects can obtain the local logon session required for unauthenticated exploitation.

prevent

Limits privileges of any local account on the VirtualBox host, reducing the ability of an unauthenticated or low-privileged user to trigger the DoS condition.

References