{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21985", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.717Z", "datePublished": "2026-01-20T21:56:40.467Z", "dateUpdated": "2026-01-23T21:55:15.535Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:40.467Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle VM VirtualBox", "versions": [{"version": "7.1.14", "status": "affected", "versionType": "semver"}, {"version": "7.2.4", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.1.14:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.2.4:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6, "baseSeverity": "MEDIUM"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T18:56:39.975895Z", "id": "CVE-2026-21985", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:55:15.535Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21985", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T18:56:39.975895Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T18:56:56.630Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle VM VirtualBox", "versions": [{"status": "affected", "version": "7.1.14", "versionType": "semver"}, {"status": "affected", "version": "7.2.4", "versionType": "semver"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.1.14:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.2.4:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:40.467Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21985", "state": "PUBLISHED", "dateUpdated": "2026-01-23T21:55:15.535Z", "dateReserved": "2026-01-05T18:07:34.717Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-01-20T21:56:40.467Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.1.14:*:*:*:*:*:*:*", "matchCriteriaId": "723CD90A-7213-4B3C-B969-C6D7110CAF46", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "44ABFABE-8FFC-48CF-B627-4241CAD563B6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)."}], "id": "CVE-2026-21985", "lastModified": "2026-01-29T14:40:06.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-01-20T22:16:02.000", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:34:59.289551+00:00", "value": {"mitigation_remediation": ["Apply the latest official Oracle update that addresses the VirtualBox 7.1.14 and 7.2.4 vulnerability.", "Limit local administrative and logon privileges on hosts running VirtualBox, ensuring only trusted users have high\u2011privilege access.", "Configure auditing and monitoring on the host to detect anomalous activity related to VirtualBox processes."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality Compromise via Local Privileged Attacker"}, "threat_synthesis": {"affected_systems": "Oracle VM VirtualBox 7.1.14 and 7.2.4, delivered by Oracle Corporation.", "description_and_impact": "A bug in the core component of Oracle VM VirtualBox allows a high\u2011privileged attacker who has logged onto the host infrastructure to compromise the VirtualBox installation. The resulting compromise can provide unauthorized access to critical data, leading to confidentiality loss. Based on the CVSS vector, the attack requires a local presence on the host and high privileges; it does not require network\u2011based exploitation or user interaction, but it does rely on the attacker already having local logon capabilities. The vulnerability can potentially affect other products through scope changes, amplifying its impact.", "risk_and_exploitability": "The CVSS base score of 6.0 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. Although the vulnerability is not listed in CISA\u2019s KEV catalog, the fact that it requires high local privileges and provides confidentiality impacts means that it should still be considered a serious risk in environments where VirtualBox runs with elevated rights. The scope change possibility means that a successful local exploit could also jeopardize other systems that are dependent on the compromised VirtualBox instance."}}}}, "created": "2026-04-18T15:45:04.270672+00:00", "title": "Local Privileged Escalation in Oracle VM VirtualBox Core Component", "updated": "2026-04-18T15:45:04.270684+00:00", "vendors": []}