CVE-2026-21986 – An unauthenticated local attacker can cause a d... (How to Fix)

Q: What is the severity of CVE-2026-21986?

CVE-2026-21986 has a CVSS score of 7.1 (HIGH). An unauthenticated local attacker can cause a denial-of-service (DoS) crash in Oracle VM VirtualBox on Windows hosts. This vulnerability affects VirtualBox versions 7.1.14 and 7.2.4 running Windows virtual machines. The attack requires local access to the host system where VirtualBox is installed.

📋 TL;DR

An unauthenticated local attacker can cause a denial-of-service (DoS) crash in Oracle VM VirtualBox on Windows hosts. This vulnerability affects VirtualBox versions 7.1.14 and 7.2.4 running Windows virtual machines. The attack requires local access to the host system where VirtualBox is installed.

💻 Affected Systems

Products:

Oracle VM VirtualBox

Versions: 7.1.14 and 7.2.4

Operating Systems: Windows (host OS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows virtual machines. Linux and other guest OS types are not vulnerable.

📦 What is this software?

Vm Virtualbox by Oracle

View all CVEs affecting Vm Virtualbox →

Vm Virtualbox by Oracle

View all CVEs affecting Vm Virtualbox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of VirtualBox service, disrupting all running Windows virtual machines and preventing new VMs from starting.

🟠

Likely Case

Targeted VirtualBox instances crash, requiring manual restart and causing temporary service disruption for Windows VMs.

🟢

If Mitigated

Minimal impact with proper access controls limiting local user privileges and network segmentation.

🌐 Internet-Facing: LOW - Attack requires local access to the host system, not remotely exploitable.

🏢 Internal Only: MEDIUM - Internal users with local access to VirtualBox hosts can disrupt virtualization services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires local access to the host system but no authentication to VirtualBox itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 7.1.14 and 7.2.4 (check Oracle's latest security updates)

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2026.html

Restart Required: Yes

Instructions:

1. Download latest VirtualBox version from Oracle website. 2. Uninstall current version. 3. Install updated version. 4. Restart host system.

🔧 Temporary Workarounds

Restrict Local Access

all

Limit local user access to systems running VirtualBox to trusted administrators only.

Use Non-Windows VMs

all

Temporarily migrate workloads to Linux or other non-Windows virtual machines.

🧯 If You Can't Patch

Implement strict access controls to limit who can log into VirtualBox host systems
Monitor VirtualBox processes for unexpected crashes and implement rapid restart procedures

🔍 How to Verify

Check if Vulnerable:

Check VirtualBox version: 'VBoxManage --version' or via GUI Help > About. If version is exactly 7.1.14 or 7.2.4, system is vulnerable.

Check Version:

VBoxManage --version

Verify Fix Applied:

Verify version is newer than 7.1.14 or 7.2.4 using same version check command.

📡 Detection & Monitoring

Log Indicators:

VirtualBox process crashes in Windows Event Logs
Unexpected termination of VBoxSVC service

Network Indicators:

Sudden loss of connectivity to Windows VMs

SIEM Query:

EventID=1000 OR EventID=1001 Source='VirtualBox' OR ProcessName='VirtualBox'

📊 Metadata

CVE ID: CVE-2026-21986

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score: 0.02% exploit probability (4.4th percentile)

Published: January 20, 2026

Last Updated: January 29, 2026

🔗 References

https://www.oracle.com/security-alerts/cpujan2026.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON