Package: virtualbox X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for virtualbox. CVE-2026-21990[0]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2026-21989[1]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | creation, deletion or modification access to critical data or all | Oracle VM VirtualBox accessible data as well as unauthorized access | to critical data or complete access to all Oracle VM VirtualBox | accessible data and unauthorized ability to cause a partial denial | of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base | Score 8.1 (Confidentiality, Integrity and Availability impacts). | CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). CVE-2026-21988[2]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2026-21987[3]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2026-21986[4]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows unauthenticated attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to | Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). | CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). CVE-2026-21985[5]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | access to critical data or complete access to all Oracle VM | VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). CVE-2026-21984[6]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2026-21983[7]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2026-21982[8]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability | allows unauthenticated attacker with access to the physical | communication segment attached to the hardware where the Oracle VM | VirtualBox executes to compromise Oracle VM VirtualBox. Successful | attacks of this vulnerability can result in takeover of Oracle VM | VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and | Availability impacts). CVSS Vector: | (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). CVE-2026-21981[9]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | read access to a subset of Oracle VM VirtualBox accessible data and | unauthorized ability to cause a partial denial of service (partial | DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 | (Confidentiality and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L). CVE-2026-21963[10]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in unauthorized | access to critical data or complete access to all Oracle VM | VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). CVE-2026-21957[11]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2026-21956[12]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). CVE-2026-21955[13]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are | affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability | allows high privileged attacker with logon to the infrastructure | where Oracle VM VirtualBox executes to compromise Oracle VM | VirtualBox. While the vulnerability is in Oracle VM VirtualBox, | attacks may significantly impact additional products (scope change). | Successful attacks of this vulnerability can result in takeover of | Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-21990 https://www.cve.org/CVERecord?id=CVE-2026-21990 [1] https://security-tracker.debian.org/tracker/CVE-2026-21989 https://www.cve.org/CVERecord?id=CVE-2026-21989 [2] https://security-tracker.debian.org/tracker/CVE-2026-21988 https://www.cve.org/CVERecord?id=CVE-2026-21988 [3] https://security-tracker.debian.org/tracker/CVE-2026-21987 https://www.cve.org/CVERecord?id=CVE-2026-21987 [4] https://security-tracker.debian.org/tracker/CVE-2026-21986 https://www.cve.org/CVERecord?id=CVE-2026-21986 [5] https://security-tracker.debian.org/tracker/CVE-2026-21985 https://www.cve.org/CVERecord?id=CVE-2026-21985 [6] https://security-tracker.debian.org/tracker/CVE-2026-21984 https://www.cve.org/CVERecord?id=CVE-2026-21984 [7] https://security-tracker.debian.org/tracker/CVE-2026-21983 https://www.cve.org/CVERecord?id=CVE-2026-21983 [8] https://security-tracker.debian.org/tracker/CVE-2026-21982 https://www.cve.org/CVERecord?id=CVE-2026-21982 [9] https://security-tracker.debian.org/tracker/CVE-2026-21981 https://www.cve.org/CVERecord?id=CVE-2026-21981 [10] https://security-tracker.debian.org/tracker/CVE-2026-21963 https://www.cve.org/CVERecord?id=CVE-2026-21963 [11] https://security-tracker.debian.org/tracker/CVE-2026-21957 https://www.cve.org/CVERecord?id=CVE-2026-21957 [12] https://security-tracker.debian.org/tracker/CVE-2026-21956 https://www.cve.org/CVERecord?id=CVE-2026-21956 [13] https://security-tracker.debian.org/tracker/CVE-2026-21955 https://www.cve.org/CVERecord?id=CVE-2026-21955 Please adjust the affected versions in the BTS as needed.
