Your message dated Tue, 3 Feb 2026 06:58:13 +0100
with message-id <[email protected]>
and subject line Re: Accepted virtualbox 7.2.6-dfsg-1 (source) into unstable
has caused the Debian Bug report #1126117,
regarding virtualbox: CVE-2026-21990 CVE-2026-21989 CVE-2026-21988
CVE-2026-21987 CVE-2026-21986 CVE-2026-21985 CVE-2026-21984 CVE-2026-21983
CVE-2026-21982 CVE-2026-21981 CVE-2026-21963 CVE-2026-21957 CVE-2026-21956
CVE-2026-21955
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126117: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126117
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: virtualbox
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for virtualbox.
CVE-2026-21990[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2026-21989[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| creation, deletion or modification access to critical data or all
| Oracle VM VirtualBox accessible data as well as unauthorized access
| to critical data or complete access to all Oracle VM VirtualBox
| accessible data and unauthorized ability to cause a partial denial
| of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base
| Score 8.1 (Confidentiality, Integrity and Availability impacts).
| CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).
CVE-2026-21988[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2026-21987[3]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2026-21986[4]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows unauthenticated attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to
| Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts).
| CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
CVE-2026-21985[5]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| access to critical data or complete access to all Oracle VM
| VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
CVE-2026-21984[6]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2026-21983[7]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2026-21982[8]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability
| allows unauthenticated attacker with access to the physical
| communication segment attached to the hardware where the Oracle VM
| VirtualBox executes to compromise Oracle VM VirtualBox. Successful
| attacks of this vulnerability can result in takeover of Oracle VM
| VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and
| Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2026-21981[9]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| read access to a subset of Oracle VM VirtualBox accessible data and
| unauthorized ability to cause a partial denial of service (partial
| DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6
| (Confidentiality and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L).
CVE-2026-21963[10]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in unauthorized
| access to critical data or complete access to all Oracle VM
| VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality
| impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
CVE-2026-21957[11]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2026-21956[12]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVE-2026-21955[13]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are
| affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability
| allows high privileged attacker with logon to the infrastructure
| where Oracle VM VirtualBox executes to compromise Oracle VM
| VirtualBox. While the vulnerability is in Oracle VM VirtualBox,
| attacks may significantly impact additional products (scope change).
| Successful attacks of this vulnerability can result in takeover of
| Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,
| Integrity and Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21990
https://www.cve.org/CVERecord?id=CVE-2026-21990
[1] https://security-tracker.debian.org/tracker/CVE-2026-21989
https://www.cve.org/CVERecord?id=CVE-2026-21989
[2] https://security-tracker.debian.org/tracker/CVE-2026-21988
https://www.cve.org/CVERecord?id=CVE-2026-21988
[3] https://security-tracker.debian.org/tracker/CVE-2026-21987
https://www.cve.org/CVERecord?id=CVE-2026-21987
[4] https://security-tracker.debian.org/tracker/CVE-2026-21986
https://www.cve.org/CVERecord?id=CVE-2026-21986
[5] https://security-tracker.debian.org/tracker/CVE-2026-21985
https://www.cve.org/CVERecord?id=CVE-2026-21985
[6] https://security-tracker.debian.org/tracker/CVE-2026-21984
https://www.cve.org/CVERecord?id=CVE-2026-21984
[7] https://security-tracker.debian.org/tracker/CVE-2026-21983
https://www.cve.org/CVERecord?id=CVE-2026-21983
[8] https://security-tracker.debian.org/tracker/CVE-2026-21982
https://www.cve.org/CVERecord?id=CVE-2026-21982
[9] https://security-tracker.debian.org/tracker/CVE-2026-21981
https://www.cve.org/CVERecord?id=CVE-2026-21981
[10] https://security-tracker.debian.org/tracker/CVE-2026-21963
https://www.cve.org/CVERecord?id=CVE-2026-21963
[11] https://security-tracker.debian.org/tracker/CVE-2026-21957
https://www.cve.org/CVERecord?id=CVE-2026-21957
[12] https://security-tracker.debian.org/tracker/CVE-2026-21956
https://www.cve.org/CVERecord?id=CVE-2026-21956
[13] https://security-tracker.debian.org/tracker/CVE-2026-21955
https://www.cve.org/CVERecord?id=CVE-2026-21955
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: virtualbox
Source-Version: 7.2.6-dfsg-1
Hi Gianfranco,
I think this update fixes the recent batch of CVEs issues for
virtualbox as well, but please double-check.
Regards,
Salvatore
On Mon, Feb 02, 2026 at 04:23:22PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Mon, 02 Feb 2026 17:06:15 +0100
> Source: virtualbox
> Built-For-Profiles: noudeb
> Architecture: source
> Version: 7.2.6-dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Virtualbox Team <[email protected]>
> Changed-By: Gianfranco Costamagna <[email protected]>
> Changes:
> virtualbox (7.2.6-dfsg-1) unstable; urgency=medium
> .
> * New upstream version 7.2.6-dfsg
> * Bump std-version to 4.7.3, no changes required
> * Drop patch new-curl.patch now upstream
> * refresh patches
> * Switch from fuse2 to fuse3
> Checksums-Sha1:
> 790a60f9e5403f12fb273f0d00396230955530ce 3834 virtualbox_7.2.6-dfsg-1.dsc
> c2a42d0843f1626928c9822102f3cb0376001491 115204788
> virtualbox_7.2.6-dfsg.orig.tar.xz
> 9ef827f694cdfd36cb1f8356a6d4f44ff541ebd8 83808
> virtualbox_7.2.6-dfsg-1.debian.tar.xz
> 4976a9b0817e03f7b3b91e41c33b7af3087ca46b 11402
> virtualbox_7.2.6-dfsg-1_source.buildinfo
> Checksums-Sha256:
> 1dbc46ffc244e74a07a5f28b9b83e423e5aa2891a7dae0168d426a8d846ff19e 3834
> virtualbox_7.2.6-dfsg-1.dsc
> b30f765b0660f5875da0c1af6ccd16643a293126ae3af199f3706a385480148d 115204788
> virtualbox_7.2.6-dfsg.orig.tar.xz
> dc81e54f4f4954685f0ad2eace58816126c3e98207b85418d8ea479e12dbef68 83808
> virtualbox_7.2.6-dfsg-1.debian.tar.xz
> 7eac37fd293b4c81920c9802c2fe4ec7a8839834b34893818a772a99a8db031c 11402
> virtualbox_7.2.6-dfsg-1_source.buildinfo
> Files:
> 99f2afa8e6326a9ef903b8fd1d6aa251 3834 contrib/misc optional
> virtualbox_7.2.6-dfsg-1.dsc
> bc7e290f543d3a3a9c351525990cad04 115204788 contrib/misc optional
> virtualbox_7.2.6-dfsg.orig.tar.xz
> 0a4349c04378036eef9a288f62a03c84 83808 contrib/misc optional
> virtualbox_7.2.6-dfsg-1.debian.tar.xz
> ef77380359c1a81ec4f43388afee8daf 11402 contrib/misc optional
> virtualbox_7.2.6-dfsg-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmmAy94ACgkQ808JdE6f
> XdksuxAAwnUNM3tGqc6MOYhurR/w4UrJMX6XmaEUBoWNJqHiVJShrMUGp/vou89V
> /PAdQadt/Jow99H//ssEz44I0BPKiEcWdRantKsaB0z4o9fPi9UhVRyQlOv1zFn3
> lYwm29WhPHfHhv9vKFpPj/fuzP4NZyE7RsmEfweAjnZ8gexjWFBRn3vCX4PKP4gH
> OW5o8B4X1aqhDdj1YVLxo2fu+9eOanW1hOFC0yN74d0V8GenVWMhduUfqazCzAxN
> tNWji1FGECfyTsbPEUtOX+rex/PLS85jdcvuOduSE58L3OjFxNoSiMsJsFDSGLeV
> 15wPSsIvs97XO9svqIdYeYgofd9ybQ5SPfsKijaNpNHD8HSrDJDFTZMGzIuSThou
> rriw4Jm0HcR+bw67td5m3fEY2uJXoODHTzcmpXQptP/RNdBhGW4um1kixe9wPhKI
> YW3UCcdDZhVlpM7lvc1huKzA9YkPa6ALv3ibliv2mY89NtS6WAItGlRUlhpMLJHl
> qp/Xm8hpvvFTrWH8xNTXnYsPnuna6mHyMIWXJVyKHSlIGHCZN/ealcHzAd65qRGB
> P6Mx1Wqt/4LsODXxIjsis152gG54sQJW0xl9CJaVxOOOJg4j83wexTtg8eVnurL8
> Qrhh9cis/q94QecOs9k4sAphombMcXV/mzme2DXH0EW9iWk+nQw=
> =gyh9
> -----END PGP SIGNATURE-----
--- End Message ---
