CVE-2026-35245
Published: 21 April 2026
Summary
CVE-2026-35245 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely installation of the Oracle Critical Patch Update directly remediates the vulnerability in the VirtualBox Core component, preventing RDP-based exploitation.
Boundary protection at external interfaces blocks network access to the RDP service in VirtualBox, preventing unauthenticated remote attackers from reaching and exploiting the vulnerability.
Least functionality configuration disables unnecessary RDP/VRDP features in VirtualBox, eliminating the exposed attack surface for this DoS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a network-accessible (via RDP) flaw in VirtualBox that allows unauthenticated attackers to trigger application crashes or hangs, directly enabling endpoint DoS via application exploitation (T1499.004).
NVD Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this…
more
vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Deeper analysisAI
CVE-2026-35245 is a vulnerability in the Core component of Oracle VM VirtualBox, which is part of the Oracle Virtualization product. The supported version affected is 7.2.6. It is classified under CWE-284 and was published on 2026-04-21.
An unauthenticated attacker with network access via RDP can easily exploit this vulnerability to compromise Oracle VM VirtualBox. Successful exploitation results in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS). The CVSS 3.1 base score is 7.5 (Availability impacts), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Oracle has issued a Critical Patch Update advisory providing details on the vulnerability and mitigation at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)