CVE-2026-46768 is a vulnerability in the VMSVGA device component of Oracle VM VirtualBox version 7.2.8. It allows an attacker with high privileges and logon access to the host infrastructure to cause Oracle VM VirtualBox to hang or crash repeatedly, resulting in a complete denial of service. The vulnerability affects availability only and has a CVSS 3.1 score of 6.0 (medium severity). Oracle has acknowledged this vulnerability in its June 2026 Critical Security Patch Update advisory, which includes 245 security patches across multiple products. While the advisory strongly recommends applying patches promptly, it does not explicitly confirm a patch for this specific version. Mitigation options include applying the Critical Security Patch Update and reducing attack surface by limiting privileges or blocking network protocols required by the attack, with caution due to possible functional impacts.

Successful exploitation of this vulnerability results in a complete denial of service (DoS) condition for Oracle VM VirtualBox version 7.2.8 by causing the application to hang or crash repeatedly. The impact is limited to availability; confidentiality and integrity are not affected. The vulnerability requires a high privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox runs. There are no known exploits in the wild at this time.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update promptly to address this and other vulnerabilities. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or by removing unnecessary privileges from users who do not require them. These mitigations may impact application functionality and should be applied with caution. Patch status for this specific vulnerability and version is not explicitly confirmed; users should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest patch availability and instructions.