CVE-2026-46977 is a vulnerability in the VMSVGA device component of Oracle VM VirtualBox version 7.2.8. It allows a high privileged local attacker to compromise Oracle VM VirtualBox, potentially impacting additional products due to scope change. Successful exploitation results in unauthorized read access to a subset of data accessible by Oracle VM VirtualBox. The CVSS 3.1 vector indicates local attack vector, low attack complexity, high privileges required, no user interaction, scope changed, and low confidentiality impact. Oracle's June 2026 Critical Security Patch Update advisory references this vulnerability but does not explicitly state a dedicated patch version for it. Oracle recommends applying the Critical Security Patch Update to address this and other vulnerabilities.

The vulnerability allows unauthorized read access to some data accessible by Oracle VM VirtualBox when exploited by a high privileged local attacker. There is no impact on integrity or availability. The scope change indicates that other Oracle products may be affected indirectly. The overall severity is low (CVSS 3.2). No known active exploitation has been reported.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update, which includes security patches addressing this vulnerability among others. Until patches are applied, risk may be reduced by limiting high privileged user access to the infrastructure running Oracle VM VirtualBox and removing unnecessary privileges. Blocking network protocols required by potential attacks may also help but could impact functionality. Patch status for this specific vulnerability is not explicitly confirmed; customers should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest remediation guidance.