This vulnerability exists in the core component of Oracle VM VirtualBox version 7.2.8. It requires an attacker to have high privileges and logon access to the host infrastructure where Oracle VM VirtualBox is running. Successful exploitation can result in complete compromise of Oracle VM VirtualBox, with impacts on confidentiality, integrity, and availability. The CVSS 3.1 base score is 7.5, reflecting a high severity with attack vector local, attack complexity high, privileges required high, no user interaction, and scope changed. Oracle’s June 2026 Critical Security Patch Update advisory references this vulnerability among many others but does not explicitly state a patch or fix for version 7.2.8 in the provided content.

A successful exploit of this vulnerability could allow an attacker with high privileges and local access to take over Oracle VM VirtualBox, potentially affecting confidentiality, integrity, and availability of the virtualization environment. Due to scope change, other products relying on or integrated with Oracle VM VirtualBox may also be impacted. The vulnerability is difficult to exploit and requires significant access, limiting the attack surface to privileged users on the host system.

Oracle strongly recommends applying Critical Security Patch Update patches as soon as possible to address this and other vulnerabilities. Although the advisory does not explicitly confirm a patch for Oracle VM VirtualBox 7.2.8, customers should monitor the referenced Oracle advisory for patch availability and apply updates promptly. Until patches are applied, risk may be reduced by limiting high privileged user access to the infrastructure running Oracle VM VirtualBox and restricting access to necessary packages. Blocking network protocols required by potential attacks may also help but could impact functionality. Oracle emphasizes staying on actively supported versions and applying security patches without delay.