CVE-2020-2902: 
VirtualBox vulnerability analysis and mitigation

CVE-2020-2902 is a vulnerability affecting Oracle VM VirtualBox versions prior to 5.2.40, prior to 6.0.20, and prior to 6.1.6. The vulnerability was disclosed and patched in April 2020 as part of Oracle's Critical Patch Update. This security flaw allows low-privileged attackers with logon access to the infrastructure where Oracle VM VirtualBox executes to potentially compromise the system (ZDI Advisory, Oracle CPU).

The vulnerability exists within the handling of D3D9 shader objects in VirtualBox. The specific issue stems from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.0 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity (ZDI Advisory).

Successful exploitation of this vulnerability can result in the complete takeover of Oracle VM VirtualBox. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current process, potentially compromising the entire virtualization environment (ZDI Advisory, Rapid7).

Oracle has released security patches to address this vulnerability. Users are advised to upgrade to VirtualBox versions 5.2.40, 6.0.20, or 6.1.6 or later. The fix was included in Oracle's April 2020 Critical Patch Update (Oracle CPU, OpenSUSE).