CVE-2025-53027: 
VirtualBox vulnerability analysis and mitigation

A vulnerability was discovered in Oracle VM VirtualBox version 7.1.10 (component: Core). The vulnerability (CVE-2025-53027) was reported by Do Manh Dung & Nguyen Dang Nguyen of STAR Labs SG Pte. Ltd. working with Trend Zero Day Initiative and was publicly disclosed on July 15, 2025. This vulnerability allows high-privileged attackers with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise the system, with a CVSS 3.1 base score of 8.2 (Oracle Advisory, ZDI Advisory).

The specific flaw exists within the implementation of the virtual OHCI USB controller. The issue results from the lack of proper locking when performing operations on an object, leading to a Time-Of-Check Time-Of-Use (TOCTOU) local privilege escalation vulnerability. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.2 (Confidentiality, Integrity and Availability impacts) with the vector string: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (ZDI Advisory).

Successful exploitation of this vulnerability can result in complete takeover of Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products due to scope change. The vulnerability affects all three security aspects with high severity: confidentiality, integrity, and availability (Oracle Advisory).

Oracle has issued an update to correct this vulnerability as part of the July 2025 Critical Patch Update. Users are strongly advised to apply the security patches without delay to address this vulnerability. The vulnerability was reported to Oracle on June 2, 2025, and a coordinated public release of the advisory occurred on July 15, 2025 (ZDI Advisory, Oracle Advisory).