CVE-2019-3026
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.34 and prior to 6.0.14. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Oracle VM VirtualBox vmsvga FIFO lacks bounds check, enabling low-privileged guest attackers to read hypervisor memory (info disclosure).
Vulnerability
The vulnerability resides in the vmsvgaFIFOLoop function of Oracle VM VirtualBox (versions prior to 5.2.34 and 6.0.14). The code fails to validate user-supplied data properly, allowing a read past the end of an allocated object. A low-privileged attacker with logon access to the guest OS can trigger this out-of-bounds read.
Exploitation
The attacker must first obtain low-privileged code execution on the target guest system. Then, by manipulating FIFO data structures, they can cause vmsvgaFIFOLoop to read beyond the intended buffer. The specific flaw is documented in ZDI-19-917 [1], which notes the lack of proper validation leads to an out-of-bounds read.
Impact
Successful exploitation results in unauthorized access to sensitive data — potentially all data accessible to the Oracle VM VirtualBox process. The CVSS 3.0 score is 6.5 (Confidentiality high, Integrity none, Availability none) with vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N [1]. This means the attacker can read critical hypervisor memory, which may include secrets of other guest VMs or the host.
Mitigation
Oracle released fixes in VirtualBox 5.2.34 and 6.0.14 [1]. Gentoo issued GLSA 202004-02 [2] advising all VirtualBox users to upgrade to these or later versions. No workaround is known; upgrading is the only mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <5.2.34, <6.0.14
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- security.gentoo.org/glsa/202004-02mitrevendor-advisoryx_refsource_GENTOO
- security.gentoo.org/glsa/202101-09mitrevendor-advisoryx_refsource_GENTOO
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlmitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-19-917/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.