CVE-2026-35246 Overview
CVE-2026-35246 affects the Core component of Oracle VM VirtualBox version 7.2.6. The flaw allows a high-privileged local attacker with logon access to the host infrastructure to compromise the hypervisor. Successful exploitation results in full takeover of Oracle VM VirtualBox and can propagate impact beyond the affected product due to a scope change. Oracle disclosed the issue as part of the April 2026 Critical Patch Update. The vulnerability maps to [CWE-284: Improper Access Control].
Critical Impact
Local privileged attackers can take over Oracle VM VirtualBox and impact additional products through scope-changing exploitation.
Affected Products
- Oracle VM VirtualBox 7.2.6
- Oracle Virtualization (Core component)
- Host systems running affected VirtualBox releases
Discovery Timeline
- 2026-04-21 - CVE-2026-35246 published to NVD
- 2026-04-21 - Oracle Critical Patch Update April 2026 released
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-35246
Vulnerability Analysis
The vulnerability resides in the Core component of Oracle VM VirtualBox 7.2.6. An attacker requires local logon access to the infrastructure where VirtualBox executes and must already hold high privileges. Exploitation is rated difficult, indicating that successful attacks depend on specific runtime conditions or timing. Despite these constraints, a successful attack results in complete compromise of the VirtualBox process, affecting confidentiality, integrity, and availability.
The scope change indicates that exploitation crosses a security boundary. An attacker who compromises VirtualBox can reach resources managed by other security authorities, such as the host operating system or co-resident guest virtual machines. This is the standard risk profile for hypervisor escape and host-impact bugs in virtualization software.
Root Cause
The weakness is classified as [CWE-284: Improper Access Control]. The Core component fails to enforce expected access restrictions on a privileged operation. Oracle has not published implementation-level details. Consult the Oracle Critical Patch Update April 2026 advisory for component-specific notes.
Attack Vector
The attack vector is local. An attacker must authenticate to the host and operate with high privileges before invoking the vulnerable code path. No user interaction is required. Realistic exploitation scenarios include malicious administrators, compromised service accounts on the host, or attackers who have already escalated privileges through a separate vulnerability. No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploitation code is publicly available for this vulnerability.
Refer to Oracle's advisory for component-specific technical details.
Detection Methods for CVE-2026-35246
Indicators of Compromise
- Unexpected modifications to VirtualBox configuration files or VM definitions on the host
- Unusual child processes spawned by VBoxHeadless, VBoxSVC, or VirtualBox binaries
- Privileged account activity on virtualization hosts outside of approved change windows
Detection Strategies
- Monitor process creation events where VirtualBox host processes spawn shells or system utilities
- Track changes to VirtualBox installation directories and binary integrity
- Correlate local logon events on virtualization hosts with subsequent privileged operations against VirtualBox services
Monitoring Recommendations
- Enable host-level audit logging for VirtualBox service accounts and administrative actions
- Alert on installation of unsigned or unexpected VirtualBox extension packs and kernel modules
- Review guest-to-host interactions for anomalous shared folder, USB, or device passthrough activity
How to Mitigate CVE-2026-35246
Immediate Actions Required
- Apply the fixes from the Oracle Critical Patch Update April 2026 to all hosts running Oracle VM VirtualBox 7.2.6
- Inventory all VirtualBox installations across developer workstations, lab systems, and servers
- Restrict local logon and administrative access on virtualization hosts to a minimal set of accounts
Patch Information
Oracle addressed CVE-2026-35246 in the April 2026 Critical Patch Update. Administrators should review the Oracle Critical Patch Update April 2026 advisory and upgrade Oracle VM VirtualBox to a fixed release. Apply patches according to your standard change management process and validate hypervisor stability after deployment.
Workarounds
- Remove Oracle VM VirtualBox from systems where it is not required
- Enforce least privilege so non-administrative users cannot reach the vulnerable code path
- Isolate virtualization hosts on dedicated network segments with restricted management access
# Verify installed VirtualBox version on Linux hosts
VBoxManage --version
# Verify installed VirtualBox version on Windows hosts
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
