CVE-2020-2758: 
VirtualBox vulnerability analysis and mitigation

CVE-2020-2758 is a security vulnerability affecting Oracle VirtualBox, discovered and disclosed in April 2020. The vulnerability exists within the VBoxVGA graphics controller component, specifically in the handling of the VBoxVHWASurfaceBase object. It affects Oracle VM VirtualBox versions prior to 6.0.20 and prior to 6.1.6 (ZDI Advisory).

The vulnerability is characterized by improper validation of object existence prior to performing operations on the VBoxVHWASurfaceBase object. It has been assigned a CVSS v3.1 base score of 8.2 (High) with the following vector: AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. This indicates that the vulnerability requires local access and high privileges but no user interaction, with potential impacts on confidentiality, integrity, and availability across security boundaries (ZDI Advisory).

If successfully exploited, this vulnerability allows an attacker to escalate privileges and execute code in the context of the hypervisor. The attacker must first obtain the ability to execute high-privileged code on the target guest system to exploit this vulnerability (ZDI Advisory).

Oracle has released security patches to address this vulnerability. Users should upgrade to VirtualBox version 6.0.20 or later for the 6.0.x series, or version 6.1.6 or later for the 6.1.x series. The fix was included in Oracle's April 2020 Critical Patch Update (Oracle Advisory, OpenSUSE Advisory).