CVE-2026-21990

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:oracle:vm_virtualbox:7.1.14:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:oracle:vm_virtualbox:7.2.4:*:*:*:*:*:*:* - VULNERABLE

Oracle VM VirtualBox 7.1.14

Oracle VM VirtualBox 7.2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-21990 PoC - Oracle VM VirtualBox Core Component Exploitation
# Note: This is a conceptual PoC for educational purposes only
# Actual exploitation requires specific conditions and environment

import ctypes
import os
import sys

def check_virtualbox_version():
    """Check if VirtualBox version is vulnerable"""
    try:
        # Attempt to get VirtualBox version
        # Vulnerable versions: 7.1.14, 7.2.4
        version_check = "VBoxManage --version"
        return True  # In real scenario, parse version output
    except Exception as e:
        print(f"[-] Error checking version: {e}")
        return False

def exploit_cve_2026_21990():
    """
    Conceptual exploitation steps for CVE-2026-21990:
    1. Attacker gains high-privileged access to host system
    2. Attacker identifies vulnerable VirtualBox installation
    3. Attacker crafts malicious input to Core component
    4. Privilege escalation to VirtualBox process context
    5. Potential VM escape or host compromise
    """
    print("[*] CVE-2026-21990 - Oracle VM VirtualBox Core Exploitation")
    print("[*] Target: Oracle VM VirtualBox < 7.1.14 or < 7.2.4")
    
    if not check_virtualbox_version():
        print("[-] VirtualBox not found or not vulnerable")
        return False
    
    print("[+] Vulnerable VirtualBox installation detected")
    print("[+] This vulnerability requires high-privileged local access")
    print("[+] Exploitation leads to complete system compromise")
    print("[-] PoC demonstration complete - patch immediately")
    
    return True

if __name__ == "__main__":
    print("WARNING: This is for authorized security testing only")
    exploit_cve_2026_21990()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21990
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21990
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21990/
[4] VulDB https://vuldb.com/cve/CVE-2026-21990
[5] https://www.oracle.com/security-alerts/cpujan2026.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21990", "sourceIdentifier": "[email protected]", "published": "2026-01-20T22:16:02.590", "lastModified": "2026-01-29T16:00:32.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)."}, {"lang": "es", "value": "Vulnerabilidad en el producto Oracle VM VirtualBox de Oracle Virtualization (componente: Core). Versiones compatibles que están afectadas son 7.1.14 y 7.2.4. Vulnerabilidad fácilmente explotable permite a un atacante con altos privilegios con inicio de sesión en la infraestructura donde se ejecuta Oracle VM VirtualBox comprometer Oracle VM VirtualBox. Aunque la vulnerabilidad está en Oracle VM VirtualBox, los ataques pueden impactar significativamente productos adicionales (cambio de alcance). Ataques exitosos de esta vulnerabilidad pueden resultar en la toma de control de Oracle VM VirtualBox. Puntuación Base CVSS 3.1 8.2 (impactos en Confidencialidad, Integridad y Disponibilidad). Vector CVSS: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.1.14:*:*:*:*:*:*:*", "matchCriteriaId": "723CD90A-7213-4B3C-B969-C6D7110CAF46"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:vm_virtualbox:7.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "44ABFABE-8FFC-48CF-B627-4241CAD563B6"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}