CVE-2026-35230
Published: 21 April 2026
Summary
CVE-2026-35230 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the known flaw in Oracle VM VirtualBox core via the April 2026 Critical Patch Update, directly preventing exploitation.
Enforces logical access controls to address the CWE-284 improper access control vulnerability, blocking high-privileged local attackers from compromising VirtualBox.
Restricts privileges to least necessary on the host infrastructure, mitigating the PR:H requirement for local logon attackers to exploit the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in VirtualBox hypervisor with scope change and high impact enables exploitation for privilege escalation and escape to host.
NVD Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise…
more
Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-35230 is a vulnerability in the Core component of Oracle VM VirtualBox, which is part of the Oracle Virtualization product. The supported version affected is 7.2.6. It is classified under CWE-284 (Improper Access Control) and carries a CVSS 3.1 base score of 7.5, with the vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impacts to confidentiality, integrity, and availability.
This difficult-to-exploit vulnerability allows a high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise the product. Exploitation requires high attack complexity and no user interaction, but successful attacks result in takeover of Oracle VM VirtualBox. Notably, while the vulnerability resides in VirtualBox, it enables scope change, meaning attacks may significantly impact additional products.
Oracle's Critical Patch Update for April 2026 addresses this issue, with details available in the security advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)