CVE-2026-35250

LOW

Oracle VM VirtualBox 7.2.6 - Authenticated Partial Denial of Service

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-35250. PoCs published by xooxo.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-35250, an integer overflow vulnerability in VirtualBox's DevVGA_VBVA.cpp. The exploit triggers a DoS by sending malformed mouse pointer shape data, causing heap over-read and NULL pointer write crashes in the host.

Description

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

Exploits (1)

nomisec WORKING POC
by xooxo · poc
https://github.com/xooxo/CVE-2026-35250

This repository contains a functional exploit PoC for CVE-2026-35250, an integer overflow vulnerability in VirtualBox's DevVGA_VBVA.cpp. The exploit triggers a DoS by sending malformed mouse pointer shape data, causing heap over-read and NULL pointer write crashes in the host.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Oracle VirtualBox (version not specified)
No auth needed
Prerequisites: VirtualBox with VGA device · guest OS with kernel module support
devstral-2 · analyzed May 08, 2026 Full analysis →

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
Oracle Advisory
https://www.oracle.com/security-alerts/cpuapr2026.html

Scores

CVSS v3 2.3
EPSS 0.0011
EPSS Percentile 1.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-284
Status published
Products (2)
oracle/vm_virtualbox 7.2.6
Oracle Corporation/Oracle VM VirtualBox 7.2.6
Published Apr 21, 2026
Tracked Since Apr 22, 2026