CVE-2026-35251 is a vulnerability in the core component of Oracle VM VirtualBox version 7.2.6. It requires a high privileged attacker with local access (logon) to the infrastructure where VirtualBox runs. The vulnerability is difficult to exploit and has a scope change, meaning successful exploitation can affect other products beyond VirtualBox. The CVSS 3.1 vector indicates local attack vector (AV:L), high attack complexity (AC:H), high privileges required (PR:H), no user interaction (UI:N), scope changed (S:C), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Oracle’s April 2026 Critical Patch Update advisory mentions many patches but does not explicitly confirm a patch for this vulnerability, and no remediation level is specified. No known exploits in the wild have been reported.

Successful exploitation of CVE-2026-35251 can result in complete takeover of Oracle VM VirtualBox, impacting confidentiality, integrity, and availability of the affected system. Due to scope change, additional Oracle products may also be significantly impacted. The vulnerability requires high privileges and local access, limiting the attack surface to trusted users or compromised accounts with elevated rights. No known exploits have been observed in the wild so far.

Patch status for CVE-2026-35251 is not explicitly confirmed in the Oracle April 2026 Critical Patch Update advisory. Oracle strongly recommends applying all relevant Critical Patch Updates promptly to mitigate known vulnerabilities. Customers should verify patch availability for Oracle VM VirtualBox 7.2.6 on Oracle’s official security advisory page and apply updates as soon as they become available. Until a patch is confirmed and applied, restrict high privileged access to the infrastructure running Oracle VM VirtualBox to trusted personnel only.