Source: virtualbox X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for virtualbox. CVE-2025-61759[0]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability | allows low privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | access to critical data or complete access to all Oracle VM | VirtualBox accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). CVE-2025-61760[1]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Difficult to exploit vulnerability | allows low privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. Successful attacks require human interaction from a | person other than the attacker and while the vulnerability is in | Oracle VM VirtualBox, attacks may significantly impact additional | products (scope change). Successful attacks of this vulnerability | can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score | 7.5 (Confidentiality, Integrity and Availability impacts). CVSS | Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H). CVE-2025-62587[2]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2025-62588[3]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2025-62589[4]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2025-62590[5]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2025-62591[6]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | access to critical data or complete access to all Oracle VM | VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). CVE-2025-62592[7]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | access to critical data or complete access to all Oracle VM | VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). CVE-2025-62641[8]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61759 https://www.cve.org/CVERecord?id=CVE-2025-61759 [1] https://security-tracker.debian.org/tracker/CVE-2025-61760 https://www.cve.org/CVERecord?id=CVE-2025-61760 [2] https://security-tracker.debian.org/tracker/CVE-2025-62587 https://www.cve.org/CVERecord?id=CVE-2025-62587 [3] https://security-tracker.debian.org/tracker/CVE-2025-62588 https://www.cve.org/CVERecord?id=CVE-2025-62588 [4] https://security-tracker.debian.org/tracker/CVE-2025-62589 https://www.cve.org/CVERecord?id=CVE-2025-62589 [5] https://security-tracker.debian.org/tracker/CVE-2025-62590 https://www.cve.org/CVERecord?id=CVE-2025-62590 [6] https://security-tracker.debian.org/tracker/CVE-2025-62591 https://www.cve.org/CVERecord?id=CVE-2025-62591 [7] https://security-tracker.debian.org/tracker/CVE-2025-62592 https://www.cve.org/CVERecord?id=CVE-2025-62592 [8] https://security-tracker.debian.org/tracker/CVE-2025-62641 https://www.cve.org/CVERecord?id=CVE-2025-62641 Please adjust the affected versions in the BTS as needed.
