CVE-2020-2703
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36 and prior to 6.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A low-privileged attacker can cause a complete denial of service of Oracle VM VirtualBox by triggering a hang or crash via the Core component.
Vulnerability
This vulnerability resides in the Core component of Oracle VM VirtualBox, affecting versions prior to 5.2.36 and prior to 6.0.16 [1]. The bug allows a low-privileged attacker with local logon access to the host system to trigger a hang or frequently repeatable crash, leading to a complete denial of service of the VirtualBox application [1].
Exploitation
An attacker needs local logon access to the host where VirtualBox runs and a low-privileged account. The exploit is simple to perform (low complexity) and requires no user interaction beyond the attacker's own actions [1]. The exact sequence of steps is not detailed in the references, but the attack vector is local and leverages the Core component.
Impact
Successful exploitation results in an unauthorized ability to cause a hang or frequently repeatable crash of VirtualBox, resulting in a complete denial of service (availability impact). The CVSS 3.0 base score is 6.5 (Availability: High) with scope change, meaning the attack can also affect other products beyond VirtualBox itself [1]. No confidentiality or integrity impact is reported.
Mitigation
Oracle released fixed versions 5.2.36 and 6.0.16 in January 2020 [1]. Users should upgrade to these or later versions. The Gentoo security advisory also recommends upgrading to at least these versions or later releases (e.g., 6.1.2) [2]. No workaround was available at the time of disclosure [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <5.2.36, <6.0.16
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202004-02mitrevendor-advisoryx_refsource_GENTOO
- security.gentoo.org/glsa/202101-09mitrevendor-advisoryx_refsource_GENTOO
- www.oracle.com/security-alerts/cpujan2020.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.