CVE-2026-35275 Overview
CVE-2026-35275 is a high-severity vulnerability in the Shared Folders component of Oracle VM VirtualBox version 7.2.8. The flaw allows a low-privileged attacker with local logon access to the host infrastructure to compromise VirtualBox. Although the vulnerability resides in VirtualBox, successful exploitation produces a scope change that affects additional products beyond the virtualization boundary. Attackers can gain unauthorized read, modify, create, or delete access to all VirtualBox-accessible data. Oracle published this issue as part of the June 2026 Critical Patch Update.
Critical Impact
Successful exploitation enables a guest-to-host scope change, granting full read and write access to data accessible by Oracle VM VirtualBox on the host system.
Affected Products
- Oracle VM VirtualBox 7.2.8
- Oracle Virtualization product family
- Host systems running vulnerable VirtualBox installations with Shared Folders enabled
Discovery Timeline
- 2026-06-17 - CVE-2026-35275 published to NVD
- 2026-06-18 - Last updated in NVD database
- June 2026 - Addressed in the Oracle Critical Patch Update
Technical Details for CVE-2026-35275
Vulnerability Analysis
The vulnerability resides in the Shared Folders component of Oracle VM VirtualBox 7.2.8. Shared Folders provides a mechanism for guest virtual machines to access directories on the host system through a paravirtualized interface. The flaw is categorized under [CWE-284] (Improper Access Control), indicating that the component fails to correctly enforce boundaries on operations performed against shared resources.
Exploitation requires local access and authenticated low-privilege credentials on the infrastructure where VirtualBox runs. The attack complexity is high, meaning that the attacker must satisfy preconditions outside their direct control. Successful exploitation produces a scope change, allowing the impact to extend beyond the VirtualBox security boundary into the host or other co-resident components.
Root Cause
The root cause is improper access control within the Shared Folders subsystem. The component does not adequately validate or restrict actions an attacker with logon access can perform against host-side data exposed through shared folder mappings. This permits unauthorized creation, modification, deletion, and disclosure of data accessible to VirtualBox.
Attack Vector
The attack vector is local. An attacker requires authenticated access to the system running VirtualBox and must leverage the Shared Folders interface to break out of the intended access constraints. No user interaction is required. Because the scope changes during exploitation, data and components outside the VirtualBox process boundary are at risk. Availability is not impacted, but confidentiality and integrity are fully compromised within the accessible scope.
No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-35275
Indicators of Compromise
- Unexpected file creation, deletion, or modification within directories mapped as VirtualBox shared folders on the host
- Anomalous VirtualBox process activity originating from low-privileged user sessions
- Host file system access patterns initiated by VBoxSVC.exe or VBoxHeadless outside expected guest workflows
Detection Strategies
- Monitor file integrity on host directories exposed to guests through Shared Folders and alert on writes from non-administrative users
- Audit VirtualBox configuration files for unauthorized changes to shared folder mappings or permission flags
- Correlate local logon events with subsequent VirtualBox guest activity to identify privilege boundary anomalies
Monitoring Recommendations
- Enable detailed file system auditing on all host paths exposed as shared folders
- Log and review VirtualBox API calls and Shared Folders mount operations
- Track installed VirtualBox versions across the fleet and flag hosts still running 7.2.8
How to Mitigate CVE-2026-35275
Immediate Actions Required
- Apply the fixes contained in the Oracle June 2026 Critical Patch Update to all affected VirtualBox installations
- Inventory hosts running Oracle VM VirtualBox 7.2.8 and prioritize patching systems exposing Shared Folders to untrusted guests
- Restrict local logon rights on hosts running VirtualBox to reduce the population of users who meet the exploitation precondition
Patch Information
Oracle released a fix as part of the June 2026 Critical Patch Update. Refer to the Oracle Security Alert for upgrade instructions and the corrected VirtualBox build that supersedes version 7.2.8.
Workarounds
- Disable the Shared Folders feature on virtual machines that do not require host directory access
- Limit shared folder mappings to read-only mode where write access is not strictly required
- Avoid exposing sensitive host directories through Shared Folders and use dedicated, isolated paths instead
- Enforce least privilege on host accounts to minimize the number of users who can interact with VirtualBox locally
# Configuration example: remove a shared folder mapping from a VM
VBoxManage sharedfolder remove "VMName" --name "sharedDirName"
# Make an existing shared folder read-only
VBoxManage sharedfolder add "VMName" --name "sharedDirName" \
--hostpath "/path/to/host/dir" --readonly
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
