Before you go hunting for new patches for VirtualBox, it helps to place one vulnerability that keeps showing up in security searches: CVE-2026-35248. It is not a June advisory. Oracle published it in its April 2026 Critical Patch Update, the company’s last quarterly security bulletin before the summer. The next CPU is dated July 2026, so there was no new VirtualBox security advisory during June.
What CVE-2026-35248 is
The flaw lives in the Core component of Oracle VM VirtualBox and affects version 7.2.6. Oracle rates it CVSS 3.1 of 5.0, in the medium range. What keeps that score relatively low is the condition for exploiting it: an attacker needs high privileges and access to the infrastructure where VirtualBox runs. A web visitor or an unprivileged guest cannot trigger it remotely on its own.
Put another way, exploiting this flaw requires someone who is already inside, with credentials of a certain level and access to the virtualization environment. That narrows the set of real scenarios considerably, though it does not make the flaw irrelevant on hosts shared by several people.
Who should care
If you run VirtualBox on your desktop to test distributions, build labs or isolate environments, the practical risk here is low, because you already control the host. The case worth watching is shared infrastructure: servers running VirtualBox where several users or accounts with different permissions coexist. There an internal attacker with privileges could gain an extra path thanks to this Core flaw.
The good news for most people is simple. The affected version is 7.2.6, and the 7.2 branch is already at 7.2.10, released on 16 June 2026 as the latest available version of VirtualBox. If you have 7.2.10 installed, you are above the vulnerable release. The 7.2 maintenance updates have carried the security fixes from the quarterly CPUs alongside the stability work.
Mitigation with real numbers
The mitigation is the one you would expect: update. Moving from 7.2.6 to 7.2.10 puts you above the version Oracle marks as affected by CVE-2026-35248. There is no alternative configuration that replaces the update here; the route is installing the latest 7.2 maintenance release.
As a complementary measure on multi-user setups, review who holds high privileges over the host and access to the virtualization infrastructure, since that is exactly the condition CVE-2026-35248 needs. Limiting that access shrinks the attack surface of any Core flaw that requires prior privileges, not only this one.
If the security side of virtualization beyond VirtualBox interests you, we recently looked at a QEMU/KVM flaw where a guest could bring down the host process: CVE-2026-48914 in virtio-blk/SCSI. The pattern is different, but it shows how these risks are weighed in virtual machine software.
Source
- Oracle Critical Patch Update Advisory, April 2026: https://www.oracle.com/security-alerts/cpuapr2026.html