Bug#1140302: virtualbox: CVE-2026-46977 CVE-2026-46974 CVE-2026-46877 CVE-2026-46874 CVE-2026-46873 CVE-2026-46825 CVE-2026-46816 CVE-2026-46815 CVE-2026-46768 CVE-2026-35275

Moritz Mühlenhoff Wed, 17 Jun 2026 14:01:15 -0700

Source: virtualbox
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security


Hi,

The following vulnerabilities were published for virtualbox.

CVE-2026-46977[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: VMSVGA device).   The supported version
| that is affected is 7.2.8. Easily exploitable vulnerability allows
| high privileged attacker with logon to the infrastructure where
| Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.
| While the vulnerability is in Oracle VM VirtualBox, attacks may
| significantly impact additional products (scope change).  Successful
| attacks of this vulnerability can result in  unauthorized read
| access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1
| Base Score 3.2 (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).


CVE-2026-46974[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core).   The supported version that is
| affected is 7.2.8. Difficult to exploit vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox.  While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change).  Successful attacks of
| this vulnerability can result in takeover of Oracle VM VirtualBox.
| CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability
| impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).


CVE-2026-46877[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: VMSVGA device).   The supported version
| that is affected is 7.2.8. Easily exploitable vulnerability allows
| high privileged attacker with logon to the infrastructure where
| Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.
| While the vulnerability is in Oracle VM VirtualBox, attacks may
| significantly impact additional products (scope change).  Successful
| attacks of this vulnerability can result in  unauthorized access to
| critical data or complete access to all Oracle VM VirtualBox
| accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts).
| CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).


CVE-2026-46874[3]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core).   The supported version that is
| affected is 7.2.8. Easily exploitable vulnerability allows high
| privileged attacker with logon to the infrastructure where Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox.  While the
| vulnerability is in Oracle VM VirtualBox, attacks may significantly
| impact additional products (scope change).  Successful attacks of
| this vulnerability can result in  unauthorized read access to a
| subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score
| 3.2 (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).


CVE-2026-46873[4]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: VMSVGA device).   The supported version
| that is affected is 7.2.8. Difficult to exploit vulnerability allows
| high privileged attacker with logon to the infrastructure where
| Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.
| While the vulnerability is in Oracle VM VirtualBox, attacks may
| significantly impact additional products (scope change).  Successful
| attacks of this vulnerability can result in takeover of Oracle VM
| VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and
| Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).


CVE-2026-46825[5]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: VMSVGA device).   The supported version
| that is affected is 7.2.8. Easily exploitable vulnerability allows
| high privileged attacker with logon to the infrastructure where
| Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.
| While the vulnerability is in Oracle VM VirtualBox, attacks may
| significantly impact additional products (scope change).  Successful
| attacks of this vulnerability can result in  unauthorized creation,
| deletion or modification access to critical data or all Oracle VM
| VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Integrity
| impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N).


CVE-2026-46816[6]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: VMSVGA device).   The supported version
| that is affected is 7.2.8. Easily exploitable vulnerability allows
| high privileged attacker with logon to the infrastructure where
| Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.
| While the vulnerability is in Oracle VM VirtualBox, attacks may
| significantly impact additional products (scope change).  Successful
| attacks of this vulnerability can result in  unauthorized read
| access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1
| Base Score 3.2 (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).


CVE-2026-46815[7]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: VMSVGA device).   The supported version
| that is affected is 7.2.8. Easily exploitable vulnerability allows
| high privileged attacker with logon to the infrastructure where
| Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.
| While the vulnerability is in Oracle VM VirtualBox, attacks may
| significantly impact additional products (scope change).  Successful
| attacks of this vulnerability can result in  unauthorized read
| access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1
| Base Score 3.2 (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).


CVE-2026-46768[8]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: VMSVGA device).   The supported version
| that is affected is 7.2.8. Easily exploitable vulnerability allows
| high privileged attacker with logon to the infrastructure where
| Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.
| While the vulnerability is in Oracle VM VirtualBox, attacks may
| significantly impact additional products (scope change).  Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of Oracle
| VM VirtualBox. CVSS 3.1 Base Score 6.0 (Availability impacts).  CVSS
| Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).


CVE-2026-35275[9]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Shared Folders).   The supported version
| that is affected is 7.2.8. Difficult to exploit vulnerability allows
| low privileged attacker with logon to the infrastructure where
| Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.
| While the vulnerability is in Oracle VM VirtualBox, attacks may
| significantly impact additional products (scope change).  Successful
| attacks of this vulnerability can result in  unauthorized creation,
| deletion or modification access to critical data or all Oracle VM
| VirtualBox accessible data as well as  unauthorized access to
| critical data or complete access to all Oracle VM VirtualBox
| accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality and
| Integrity impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-46977
    https://www.cve.org/CVERecord?id=CVE-2026-46977
[1] https://security-tracker.debian.org/tracker/CVE-2026-46974
    https://www.cve.org/CVERecord?id=CVE-2026-46974
[2] https://security-tracker.debian.org/tracker/CVE-2026-46877
    https://www.cve.org/CVERecord?id=CVE-2026-46877
[3] https://security-tracker.debian.org/tracker/CVE-2026-46874
    https://www.cve.org/CVERecord?id=CVE-2026-46874
[4] https://security-tracker.debian.org/tracker/CVE-2026-46873
    https://www.cve.org/CVERecord?id=CVE-2026-46873
[5] https://security-tracker.debian.org/tracker/CVE-2026-46825
    https://www.cve.org/CVERecord?id=CVE-2026-46825
[6] https://security-tracker.debian.org/tracker/CVE-2026-46816
    https://www.cve.org/CVERecord?id=CVE-2026-46816
[7] https://security-tracker.debian.org/tracker/CVE-2026-46815
    https://www.cve.org/CVERecord?id=CVE-2026-46815
[8] https://security-tracker.debian.org/tracker/CVE-2026-46768
    https://www.cve.org/CVERecord?id=CVE-2026-46768
[9] https://security-tracker.debian.org/tracker/CVE-2026-35275
    https://www.cve.org/CVERecord?id=CVE-2026-35275

Please adjust the affected versions in the BTS as needed.

Bug#1140302: virtualbox: CVE-2026-46977 CVE-2026-46974 CVE-2026-46877 CVE-2026-46874 CVE-2026-46873 CVE-2026-46825 CVE-2026-46816 CVE-2026-46815 CVE-2026-46768 CVE-2026-35275

Reply via email to