This vulnerability exists in the core component of Oracle VM VirtualBox 7.2.6. It requires an attacker with high privileges and local access to the system where VirtualBox runs. Successful exploitation can lead to complete compromise of Oracle VM VirtualBox, with impacts on confidentiality, integrity, and availability. The CVSS 3.1 base score is 7.5, reflecting a high severity with attack vector local, attack complexity high, privileges required high, no user interaction, and scope change. The vulnerability is tracked as CWE-284 (Improper Access Control). Oracle's April 2026 Critical Patch Update advisory references multiple patches but does not explicitly confirm a patch for this CVE in the provided content.

If exploited, this vulnerability allows a high privileged local attacker to take over Oracle VM VirtualBox, potentially affecting confidentiality, integrity, and availability of the virtualization environment. The scope of impact may extend to additional products beyond VirtualBox due to the nature of the compromise. There are no known exploits in the wild at this time.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. However, the advisory content provided does not explicitly confirm the availability of a patch for CVE-2026-35242. Customers should review the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest patch availability and apply updates promptly. Until a patch is confirmed and applied, limit access to systems running Oracle VM VirtualBox to trusted, high privileged users only. Monitor Oracle advisories for updates on remediation status.