CVE-2026-21957

CVSS v3.1

7.5

Vector

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Oracle VM VirtualBox versions 7.1.14 through 7.2.4

Description The issue resides in the Core component of Oracle VM VirtualBox and is due to insufficient input validation. Exploitation may allow an attacker to gain full control over the application and potentially compromise Oracle VM VirtualBox. Successful attacks can result in a takeover of Oracle VM VirtualBox, and may significantly impact additional products. The vulnerability is difficult to exploit and requires a high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox is running. The vulnerability can be leveraged to achieve AAR/AAW and facilitate VM escape.

Recommendations Oracle VM VirtualBox version 7.1.14 should be updated. Oracle VM VirtualBox version 7.2.4 should be updated.

Fix

RCE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-269

Related Identifiers

BDU:2026-00723

CVE-2026-21957

ZDI-26-102

Affected Products

Virtualbox

CVE-2026-21957

Weakness Enumeration

Related Identifiers

Affected Products

References · 11