Login Sign Up

CVE-2026-21990

8.2 HIGH

📋 TL;DR

This vulnerability in Oracle VM VirtualBox allows a high-privileged attacker with local access to the host system to completely compromise the VirtualBox software. The attack could potentially affect other products running on the same infrastructure due to scope change. Affected versions are 7.1.14 and 7.2.4.

💻 Affected Systems

Products:
  • Oracle VM VirtualBox
Versions: 7.1.14 and 7.2.4
Operating Systems: All platforms where Oracle VM VirtualBox runs
Default Config Vulnerable: ⚠️ Yes
Notes: Requires high-privileged attacker access (PR:H) to the host infrastructure where VirtualBox executes.

📦 What is this software?

Vm Virtualbox by Oracle

View all CVEs affecting Vm Virtualbox →

Vm Virtualbox by Oracle

View all CVEs affecting Vm Virtualbox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete takeover of Oracle VM VirtualBox leading to compromise of all virtual machines, potential host system compromise, and lateral movement to other systems in the infrastructure.

🟠

Likely Case

Attacker gains full control over VirtualBox, allowing them to manipulate, monitor, or destroy virtual machines and potentially access sensitive data within VMs.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to the VirtualBox instance itself without affecting other systems.

🌐 Internet-Facing: LOW - This requires local access to the host system where VirtualBox runs, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Attackers with local administrative access can exploit this to gain complete control of VirtualBox and potentially affect other systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Described as 'easily exploitable' in the advisory

Attack requires local high-privileged access but is considered easily exploitable once that access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 7.1.14 and 7.2.4 (check Oracle's Critical Patch Update for specific fixed versions)

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2026.html

Restart Required: Yes

Instructions:

1. Download the latest VirtualBox version from Oracle's website. 2. Uninstall current VirtualBox. 3. Install the updated version. 4. Restart the host system.

🔧 Temporary Workarounds

Restrict Local Administrative Access

all

Limit the number of users with administrative privileges on systems running VirtualBox

Network Segmentation

all

Isolate VirtualBox hosts from critical network segments to limit scope change impact

🧯 If You Can't Patch

  • Implement strict access controls to limit who has administrative access to VirtualBox hosts
  • Monitor VirtualBox hosts for unusual activity and implement enhanced logging

🔍 How to Verify

Check if Vulnerable:

Check VirtualBox version: On Windows: 'VBoxManage --version', On Linux/macOS: 'VBoxManage --version'

Check Version:

VBoxManage --version

Verify Fix Applied:

Verify version is newer than 7.1.14 or 7.2.4 using 'VBoxManage --version' command

📡 Detection & Monitoring

Log Indicators:

  • Unusual VirtualBox process behavior
  • Unexpected VirtualBox service restarts
  • Suspicious access to VirtualBox configuration files

Network Indicators:

  • Unusual network traffic from VirtualBox host to other systems
  • Attempts to access VirtualBox management interfaces from unauthorized sources

SIEM Query:

source="VirtualBox" AND (event_type="error" OR event_type="critical") AND (process_name="VBoxSVC" OR process_name="VBoxManage")

📊 Metadata

CVE ID: CVE-2026-21990
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score: 0.04% exploit probability (11.3th percentile)
Published: January 20, 2026
Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON