CVE-2022-39423
Description
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.38. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
High-privileged attacker with local logon can access critical data in Oracle VM VirtualBox prior to 6.1.38.
Vulnerability
The vulnerability resides in the Core component of Oracle VM VirtualBox. It affects versions prior to 6.1.38. The flaw is easily exploitable and requires an attacker to have high privileges and be able to log on to the host system where VirtualBox runs. The scope of the attack is changed, meaning it can also impact additional products beyond VirtualBox.
Exploitation
An attacker with high privileges (e.g., administrator or root) on the host system can exploit this vulnerability by interacting with VirtualBox's core functionality. No user interaction is required beyond the attacker's own actions. The exact exploitation mechanism is not disclosed in the public references, but the attack vector is local.
Impact
Successful exploitation results in unauthorized access to critical data or complete access to all data accessible by Oracle VM VirtualBox. The primary impact is on confidentiality; integrity and availability are not affected according to the CVSS vector. Due to the scope change, other products on the host may be affected.
Mitigation
Oracle has addressed this vulnerability in VirtualBox version 6.1.38 and later. According to the Gentoo security advisory [1], all users should upgrade to version 6.1.40 or higher. No workaround is available. It is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <6.1.38
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- security.gentoo.org/glsa/202212-03mitrevendor-advisory
- www.oracle.com/security-alerts/cpuoct2022.htmlmitre
News mentions
0No linked articles in our index yet.