{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/virtualbox/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35246"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35246","virtualbox","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35246 is a critical vulnerability affecting Oracle VM VirtualBox version 7.2.6. This vulnerability resides within the Core component of the Oracle Virtualization product. The attack requires a high-privileged attacker who already has logon access to the infrastructure where VirtualBox is running. Successful exploitation can lead to a complete takeover of the VirtualBox application, allowing the attacker to potentially control the virtual machines and their data. This poses a significant risk to organizations relying on VirtualBox for virtualization, as a compromised instance could lead to data breaches, service disruptions, or further lateral movement within the network. Defenders need to prioritize patching and implement detection mechanisms to identify potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains high-privileged access to the host operating system where Oracle VM VirtualBox 7.2.6 is installed (e.g., through compromised credentials or privilege escalation).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their high privileges to interact with the vulnerable \u0026ldquo;Core\u0026rdquo; component of VirtualBox.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specific input or utilizes a malicious tool to trigger the vulnerability within the VirtualBox Core component.\u003c/li\u003e\n\u003cli\u003eThis input exploits a flaw in the Core component\u0026rsquo;s memory management, leading to memory corruption.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to inject and execute arbitrary code within the context of the VirtualBox process.\u003c/li\u003e\n\u003cli\u003eThe injected code elevates the attacker\u0026rsquo;s privileges within the VirtualBox environment.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the VirtualBox application, including the ability to control virtual machines, access their data, and modify their configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised VirtualBox instance to further their objectives, such as data exfiltration, deploying malware to guest VMs, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35246 allows a high-privileged local attacker to completely take over an Oracle VM VirtualBox instance. This could result in the compromise of all virtual machines managed by the affected VirtualBox installation, potentially leading to data breaches, service disruptions, and further lateral movement within the network. Given the widespread use of VirtualBox in development, testing, and even production environments, this vulnerability poses a significant risk to a wide range of organizations and potentially impacts a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch or upgrade to a non-vulnerable version of Oracle VM VirtualBox as soon as possible to remediate CVE-2026-35246.\u003c/li\u003e\n\u003cli\u003eMonitor VirtualBox process activity for suspicious code injection attempts (see the Sigma rules below).\u003c/li\u003e\n\u003cli\u003eRestrict access to VirtualBox hosts to only authorized personnel to reduce the likelihood of initial compromise.\u003c/li\u003e\n\u003cli\u003eEnable and review VirtualBox audit logs for unusual activity or configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T21:16:40Z","date_published":"2026-04-21T21:16:40Z","id":"/briefs/2026-04-virtualbox-cve-2026-35246/","summary":"CVE-2026-35246 is a vulnerability in Oracle VM VirtualBox version 7.2.6, where a high-privileged attacker with local access can exploit it to compromise the application potentially leading to a complete takeover.","title":"Oracle VM VirtualBox CVE-2026-35246 Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-virtualbox-cve-2026-35246/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35245"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["virtualbox","rdp","dos","cve-2026-35245"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35245 is a vulnerability affecting Oracle VM VirtualBox version 7.2.6. This vulnerability resides in the Core component of VirtualBox and can be exploited by unauthenticated attackers with network access to the RDP service. Successful exploitation leads to a denial-of-service (DOS) condition, causing the VirtualBox application to hang or crash. The vulnerability\u0026rsquo;s ease of exploitation makes it a significant threat to systems running vulnerable versions of VirtualBox exposed to untrusted networks. This vulnerability allows an attacker to disrupt virtual machine operations, potentially impacting services relying on the virtualized environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target system running Oracle VM VirtualBox version 7.2.6 with the RDP service exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a network connection to the target system\u0026rsquo;s RDP port (typically TCP 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted RDP request to the vulnerable VirtualBox instance, exploiting CVE-2026-35245.\u003c/li\u003e\n\u003cli\u003eThe malicious RDP request triggers a flaw within the VirtualBox Core component.\u003c/li\u003e\n\u003cli\u003eThe VirtualBox application enters a hung state due to the unhandled exception.\u003c/li\u003e\n\u003cli\u003eAlternatively, the VirtualBox application may crash due to the exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe virtual machines hosted on the affected VirtualBox instance become unavailable.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully causes a denial-of-service (DOS) condition, disrupting VirtualBox operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35245 results in a denial-of-service condition, where the Oracle VM VirtualBox application hangs or crashes. This impacts the availability of virtual machines running on the affected VirtualBox instance, potentially disrupting critical services and applications. The vulnerability affects VirtualBox version 7.2.6 and poses a risk to organizations utilizing this virtualization platform, especially those with exposed RDP services. The CVSS v3.1 base score is 7.5, reflecting the high availability impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Oracle VM VirtualBox to a version beyond 7.2.6 to patch CVE-2026-35245.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to restrict access to the RDP service, mitigating the risk of external attackers exploiting CVE-2026-35245.\u003c/li\u003e\n\u003cli\u003eMonitor RDP connections for suspicious activity, such as connections from unexpected source IPs, to detect potential exploitation attempts targeting CVE-2026-35245.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousRDPConnections\u003c/code\u003e to identify unusual RDP activity that may indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T21:16:40Z","date_published":"2026-04-21T21:16:40Z","id":"/briefs/2026-04-virtualbox-dos/","summary":"An unauthenticated attacker with network access via RDP can exploit CVE-2026-35245 in Oracle VM VirtualBox version 7.2.6 to cause a denial-of-service (DOS) condition.","title":"Oracle VirtualBox Unauthenticated RDP Denial-of-Service Vulnerability (CVE-2026-35245)","url":"https://feed.craftedsignal.io/briefs/2026-04-virtualbox-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Virtualbox","version":"https://jsonfeed.org/version/1.1"}