CVE-2024-21121: 
VirtualBox vulnerability analysis and mitigation

A vulnerability has been identified in Oracle VM VirtualBox (CVE-2024-21121) affecting versions prior to 7.0.16. This vulnerability allows low-privileged attackers with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise the system. The issue exists within the BusLogic module and OHCI USB controller implementation (Oracle Advisory, ZDI Advisory).

The vulnerability stems from two specific issues: 1) lack of proper initialization of memory prior to accessing it in the BusLogic module, and 2) lack of validating the existence of an object prior to performing operations on the object in the OHCI USB controller. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.5 with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating local access requirements with low attack complexity (Oracle Advisory, ZDI Advisory).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. The vulnerability's scope change indicates that attacks may significantly impact additional products beyond VirtualBox itself (Oracle Advisory).

Oracle has released a security patch to address this vulnerability in VirtualBox version 7.0.16. Users are strongly advised to upgrade to this version to mitigate the risk (Oracle Advisory).