CVE-2026-35246
Published: 21 April 2026
Summary
CVE-2026-35246 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in Oracle VM VirtualBox core (version 7.2.6) by requiring timely patching as advised in the Oracle Critical Patch Update.
Addresses the high privilege requirement (PR:H) by enforcing least privilege on local logon accounts to the host infrastructure, preventing unauthorized high-privileged access needed for exploitation.
Mitigates the scope change (S:C) impact by isolating VirtualBox processes from other system products, limiting compromise propagation despite successful takeover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local vulnerability in VirtualBox core allowing high-privileged host attacker to compromise/take over the product (CWE-284 improper access control with scope change) directly enables exploitation for privilege escalation.
NVD Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise…
more
Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-35246 is a vulnerability in the Core component of Oracle VM VirtualBox, a product within Oracle Virtualization. The supported version affected is 7.2.6. It is a difficult-to-exploit vulnerability linked to CWE-284.
A high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes can exploit this vulnerability to compromise Oracle VM VirtualBox, resulting in a takeover of the product. Although the vulnerability resides in VirtualBox, exploitation may significantly impact additional products due to a scope change. The CVSS 3.1 base score is 7.5 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high local attack complexity, high privileges required, no user interaction needed, and high impacts to confidentiality, integrity, and availability.
The Oracle Critical Patch Update advisory provides details on patches and mitigation, available at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)