This vulnerability affects Oracle VM VirtualBox 7.2.6 and allows a high privileged attacker with local logon to compromise the VirtualBox environment. The vulnerability is difficult to exploit and has a scope change, meaning it can affect other Oracle products beyond VirtualBox. The CVSS 3.1 vector indicates it requires local access (AV:L), high attack complexity (AC:H), high privileges (PR:H), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). Oracle's April 2026 Critical Patch Update advisory references this vulnerability among many others but does not explicitly confirm a dedicated patch for it. Oracle emphasizes the importance of applying Critical Patch Updates to address such vulnerabilities.

Successful exploitation of this vulnerability can result in full takeover of Oracle VM VirtualBox, compromising confidentiality, integrity, and availability of the affected system. Due to scope change, other Oracle products may also be significantly impacted. The vulnerability requires a high privileged attacker with logon access, limiting the attack surface to insiders or compromised accounts with elevated privileges. No known exploits in the wild have been reported as of the advisory date.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory, which contains numerous security patches. Although the advisory does not explicitly confirm a dedicated patch for CVE-2026-35230, Oracle strongly recommends applying the April 2026 Critical Patch Update promptly to mitigate this and other vulnerabilities. Customers should ensure they are running actively supported versions and keep their Oracle software up to date with the latest patches. Patch status is not yet confirmed explicitly for this vulnerability; therefore, check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest remediation guidance.