CVE-2008-3431

HIGH KEV RANSOMWARE

Sun xVM VirtualBox <1.6.4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2008-3431 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Core Security.

AI-analyzed exploit summary This exploit demonstrates a privilege escalation vulnerability in Sun xVM VirtualBox's 'VBoxDrv.sys' driver due to insufficient input validation in IOCTL handling. It allows arbitrary kernel memory writes via METHOD_NEITHER, leading to local privilege escalation on Windows hosts.

Description

The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Core Security · textdosmultiple
https://www.exploit-db.com/exploits/6218

This exploit demonstrates a privilege escalation vulnerability in Sun xVM VirtualBox's 'VBoxDrv.sys' driver due to insufficient input validation in IOCTL handling. It allows arbitrary kernel memory writes via METHOD_NEITHER, leading to local privilege escalation on Windows hosts.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Sun xVM VirtualBox 1.6.2 and 1.6.0 (Windows)
No auth needed
Prerequisites: Local access to a Windows host with vulnerable VirtualBox installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Broken Link, Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30481
Broken Link third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/4107
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6218
Broken Link vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/31361
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44202
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2293
Product x_refsource_confirm
http://virtualbox.org/wiki/Changelog
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1020625
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/495095/100/0/threaded

Scores

CVSS v3 8.8
EPSS 0.0544
EPSS Percentile 90.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2021-02-11
InTheWild.io 2022-03-03
ENISA EUVD EUVD-2008-3417
Ransomware Use Confirmed
Status published
Products (1)
oracle/virtualbox < 1.6.4
Published Aug 05, 2008
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026