CVE-2026-35251
Published: 21 April 2026
Summary
CVE-2026-35251 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific improper access control flaw in Oracle VM VirtualBox core by applying vendor patches from the Critical Patch Update.
Limits the availability of high privileges (PR:H) required for local exploitation by enforcing least privilege on the host infrastructure.
Mandates enforcement of proper access control policies to address the CWE-284 improper access control vulnerability in VirtualBox core.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes improper access control (CWE-284) in Oracle VM VirtualBox core allowing a high-privileged local attacker (PR:H, AV:L) to achieve takeover of the hypervisor with scope change, directly enabling exploitation for privilege escalation on the host.
NVD Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise…
more
Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-35251 is a vulnerability in the Core component of Oracle VM VirtualBox, which is part of Oracle Virtualization. The supported version affected is 7.2.6. Classified under CWE-284 (Improper Access Control), it carries a CVSS 3.1 Base Score of 7.5 with the vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impacts on confidentiality, integrity, and availability.
The vulnerability is difficult to exploit and requires a high-privileged attacker (PR:H) with local logon access (AV:L) to the infrastructure hosting Oracle VM VirtualBox, along with high attack complexity (AC:H) and no user interaction (UI:N). Exploitation results in the takeover of Oracle VM VirtualBox, with a scope change (S:C) that may significantly impact additional products.
Mitigation details are provided in Oracle's Critical Patch Update for April 2026, accessible at https://www.oracle.com/security-alerts/cpuapr2026.html. Security practitioners should consult this advisory for patching instructions and apply updates to affected Oracle VM VirtualBox installations promptly.
Details
- CWE(s)