CVE-2022-21621 in VM VirtualBox
Summary
by MITRE • 10/19/2022
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 6.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/26/2026
The vulnerability identified as CVE-2022-21621 resides within Oracle VM VirtualBox's core component, representing a significant security flaw that affects versions prior to 6.1.40. This issue manifests as a privilege escalation vulnerability that enables attackers with legitimate access to the host infrastructure where VirtualBox operates to gain unauthorized control over the virtualization platform. The vulnerability's classification as easily exploitable indicates that sophisticated attack techniques are not required, making it particularly dangerous in environments where insider threats or compromised accounts exist.
The technical nature of this vulnerability stems from inadequate access controls and privilege management within VirtualBox's core architecture. When an attacker with high privileges accesses the host system where VirtualBox executes, they can leverage this vulnerability to compromise the virtualization environment itself. The flaw operates at a foundational level of the virtualization stack, potentially allowing for complete system compromise. This represents a critical failure in the principle of least privilege and demonstrates how virtualization platforms can become attack vectors when proper isolation mechanisms are compromised.
The operational impact of this vulnerability extends beyond the immediate VirtualBox environment, as indicated by the scope change aspect of the attack vector. Successful exploitation can result in complete denial of service conditions that cause VirtualBox to hang or repeatedly crash, effectively rendering the virtualization platform unusable. The CVSS 3.1 score of 6.0 reflects the availability impact, with the attack vector requiring local access with high privileges and no user interaction. This configuration places the vulnerability in a particularly dangerous category, as it can be exploited by insiders or attackers who have already compromised the host infrastructure, potentially leading to complete system outages and disruption of virtualized services.
Security professionals should note that this vulnerability aligns with CWE-284 (Improper Access Control) and may map to ATT&CK techniques related to privilege escalation and persistence within virtualized environments. Organizations using Oracle VM VirtualBox should immediately implement the vendor-provided patches and updates to address this issue, as the vulnerability can be leveraged to achieve complete system compromise. Additionally, network segmentation and monitoring of host systems can help detect potential exploitation attempts, while regular security assessments of virtualization environments should include evaluation of access controls and privilege management mechanisms. The vulnerability underscores the critical importance of maintaining up-to-date virtualization platforms and implementing robust security controls across all infrastructure components.