CVE-2026-35247 affects Oracle VM VirtualBox 7.2.6 and is a core component vulnerability that can be exploited by a high privileged attacker with local access to the infrastructure running VirtualBox. The vulnerability allows unauthorized access to critical or all accessible data within Oracle VM VirtualBox, with a scope change potentially impacting additional Oracle products. The CVSS vector indicates local attack vector, low attack complexity, high privileges required, no user interaction, scope changed, and high confidentiality impact without integrity or availability impact. Oracle's April 2026 Critical Patch Update advisory references multiple patches but does not explicitly confirm a patch for this specific CVE. The vulnerability is currently rated medium severity with no known active exploitation.

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all data accessible by Oracle VM VirtualBox. The scope of impact may extend beyond VirtualBox to other Oracle products due to the nature of the vulnerability. The attack requires an attacker to have high privileges and local access to the infrastructure where VirtualBox runs. There is no indication of impact on data integrity or availability. No known exploits are reported in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Oracle's April 2026 Critical Patch Update advisory includes numerous security patches, and customers are strongly advised to apply all relevant patches promptly. Since the vulnerability requires high privileged local access, restricting such access and ensuring that only trusted users have elevated privileges can reduce risk. Monitor Oracle's security alerts page for updates regarding specific patches for Oracle VM VirtualBox.