CVE-2026-35251 affects Oracle VM VirtualBox 7.2.6 and involves a difficult-to-exploit vulnerability that requires a high privileged attacker to have logon access to the host infrastructure. The vulnerability allows the attacker to compromise Oracle VM VirtualBox, potentially leading to full takeover of the virtualization product. The vulnerability has a CVSS 3.1 score of 7.5 with high impact on confidentiality, integrity, and availability, and includes a scope change that may affect other Oracle products. The Oracle Critical Patch Update advisory for April 2026 references multiple security patches but does not explicitly confirm a patch for this vulnerability. No known exploits in the wild have been reported.

If successfully exploited, this vulnerability can result in complete compromise of Oracle VM VirtualBox, affecting confidentiality, integrity, and availability of the virtualization environment. Due to scope change, other Oracle products integrated or dependent on VirtualBox may also be impacted. The attack requires high privileges and local access, limiting the attack vector to trusted users or insiders. No known active exploitation has been reported to date.

The vendor advisory does not explicitly confirm a patch or fix specifically for CVE-2026-35251 but strongly recommends applying the April 2026 Critical Patch Update, which includes numerous security patches across Oracle products. Customers should ensure they are running actively supported versions and apply all relevant Critical Patch Updates without delay. Patch status for this vulnerability is not yet confirmed—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest remediation guidance.