CVE-2022-21621
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 6.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A high-privileged attacker can cause a denial of service in Oracle VM VirtualBox versions prior to 6.1.40.
Vulnerability
The vulnerability resides in the Core component of Oracle VM VirtualBox and affects versions prior to 6.1.40 [1]. It is easily exploitable by an attacker with high privileges who has logon access to the host system where VirtualBox runs. The attack does not require user interaction and can impact additional products beyond VirtualBox (scope change).
Exploitation
An attacker with high privileges on the host machine can trigger the vulnerability by executing a sequence of operations that leads to a hang or a frequently repeatable crash of VirtualBox. No special timing or race conditions are needed; the attacker simply needs logon access to the infrastructure.
Impact
Successful exploitation results in a complete denial of service (availability impact) of Oracle VM VirtualBox. The scope change indicates that the attack may also affect other products or components beyond VirtualBox itself, though the primary impact is on availability. There is no unauthorized access to data or code execution.
Mitigation
Oracle released a fix in version 6.1.40 [1]. Users should upgrade to this version or later. No workaround is available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <6.1.40
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- security.gentoo.org/glsa/202212-03mitrevendor-advisory
- www.oracle.com/security-alerts/cpuoct2022.htmlmitre
News mentions
0No linked articles in our index yet.