CVE-2020-2690
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A low-privileged local attacker can read arbitrary data from Oracle VM VirtualBox, potentially exposing sensitive information from guest VMs.
Vulnerability
The vulnerability resides in the Core component of Oracle VM VirtualBox. Affected versions are prior to 5.2.36, prior to 6.0.16, and prior to 6.1.2 [1]. The bug allows a low-privileged attacker with logon to the host system to compromise VirtualBox.
Exploitation
An attacker must have local access to the host where VirtualBox is installed and possess low privileges (e.g., a standard user account). No user interaction is required beyond logging in. The attacker can then trigger the vulnerability to read sensitive data from the VirtualBox process memory or guest VM data.
Impact
Successful exploitation results in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data, leading to a high confidentiality impact. The attack may also affect additional products due to the scope change (S) in CVSS [1][2].
Mitigation
Oracle released fixed versions: 5.2.36, 6.0.16, and 6.1.2. Users should upgrade to these or later versions. Gentoo provides updated packages as per GLSA 202004-02 and GLSA 202101-09 [1][2]. No workaround is known.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202004-02mitrevendor-advisoryx_refsource_GENTOO
- security.gentoo.org/glsa/202101-09mitrevendor-advisoryx_refsource_GENTOO
- www.oracle.com/security-alerts/cpujan2020.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.