CVE-2026-35247: Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. in Oracle Corporation Oracle VM VirtualBox – Live Threat Intelligence – Threat Radar

CVE-2026-35247 affects Oracle VM VirtualBox 7.2.6 and is a core component vulnerability that can be exploited by a high privileged attacker with local access to the infrastructure running VirtualBox. The vulnerability allows unauthorized access to critical or all accessible data within Oracle VM VirtualBox, with a scope change potentially impacting additional Oracle products. The CVSS vector indicates local attack vector, low attack complexity, high privileges required, no user interaction, scope changed, and high confidentiality impact without integrity or availability impact. Oracle’s April 2026 Critical Patch Update advisory references multiple patches but does not explicitly confirm a patch for this specific CVE. The vulnerability is currently rated medium severity with no known active exploitation.