CVE-2026-35242
Published: 21 April 2026
Summary
CVE-2026-35242 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in VirtualBox Core by applying vendor patches as detailed in Oracle's Critical Patch Update.
Enforces approved authorizations to address the improper access control (CWE-284) vulnerability exploitable by high-privileged local attackers.
Limits high-privileged (PR:H) access required for local exploitation, reducing the attack surface in the hosting infrastructure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper access control vulnerability in VirtualBox core allows a high-privileged local attacker to achieve full product takeover with high CIA impact and changed scope, directly enabling exploitation for privilege escalation on the host.
NVD Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise…
more
Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-35242 is a vulnerability in the Core component of Oracle VM VirtualBox, which is part of the Oracle Virtualization product. The supported version affected is 7.2.6. It has been assigned CWE-284 (Improper Access Control) and carries a CVSS 3.1 Base Score of 7.5 with the vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impacts to confidentiality, integrity, and availability.
A high-privileged attacker (PR:H) with local logon access (AV:L) to the infrastructure hosting Oracle VM VirtualBox can exploit this difficult-to-exploit vulnerability (AC:H). Successful exploitation compromises Oracle VM VirtualBox, enabling a full takeover of the product. The scope is changed (S:C), meaning attacks may significantly impact additional products beyond Oracle VM VirtualBox.
Details on mitigation, including patches, are available in Oracle's Critical Patch Update for April 2026 at https://www.oracle.com/security-alerts/cpuapr2026.html. The vulnerability was published on 2026-04-21.
Details
- CWE(s)