CVE-2026-21986

High

Published: 20 January 2026

Published

20 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0002 5.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21986 is a high-severity an unspecified weakness vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Local exploitation of VirtualBox core leads directly to application/system crash for DoS (availability impact only).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle…

VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

Deeper analysisAI

CVE-2026-21986 is a vulnerability in the Core component of Oracle VM VirtualBox, which is part of Oracle Virtualization. The supported versions affected are 7.1.14 and 7.2.4. This easily exploitable vulnerability enables an unauthenticated attacker to compromise Oracle VM VirtualBox, resulting in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS). The issue is specific to Windows VMs only, with a CVSS 3.1 base score of 7.1 focused on availability impacts (vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

An unauthenticated attacker who has logon access to the infrastructure where Oracle VM VirtualBox executes can exploit this vulnerability. While the flaw resides in VirtualBox, exploitation may significantly impact additional products due to a scope change. Successful attacks achieve a complete DoS on VirtualBox through hangs or repeatable crashes, without affecting confidentiality or integrity.

The Oracle Critical Patch Update advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2026.html. Security practitioners should consult this reference for patches and recommended actions applicable to the affected versions.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

oracle

vm virtualbox

7.1.14, 7.2.4

CVEs Like This One

CVE-2026-35245Same product: Oracle Vm Virtualbox

CVE-2026-35251Same product: Oracle Vm Virtualbox

CVE-2026-21984Same product: Oracle Vm Virtualbox

CVE-2026-21956Same product: Oracle Vm Virtualbox

CVE-2026-21957Same product: Oracle Vm Virtualbox

CVE-2025-21571Same product: Oracle Vm Virtualbox

CVE-2026-21990Same product: Oracle Vm Virtualbox

CVE-2026-21987Same product: Oracle Vm Virtualbox

CVE-2026-35230Same product: Oracle Vm Virtualbox

CVE-2026-35246Same product: Oracle Vm Virtualbox

References

https://www.oracle.com/security-alerts/cpujan2026.html
Vendor Advisory · secalert_us@oracle.com