CVE-2025-62590: 
VirtualBox vulnerability analysis and mitigation

A vulnerability has been identified in Oracle VM VirtualBox versions 7.1.12 and 7.2.2, specifically affecting the Core component. This vulnerability (CVE-2025-62590) was discovered by VMBreakers (GANGMIN KIM, SANGBIN KIM, Un3xploitable) and disclosed in October 2025. The vulnerability received a CVSS 3.1 Base Score of 8.2, indicating a high severity level (Oracle CPU, NVD).

The vulnerability exists within the VMSVGA device and stems from inadequate validation of user-supplied data length before copying it to a fixed-length stack-based buffer. This stack-based buffer overflow vulnerability requires a high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating local access, low attack complexity, high privileges required, no user interaction, changed scope, and high impact on confidentiality, integrity, and availability (ZDI).

Successful exploitation of this vulnerability can result in complete takeover of Oracle VM VirtualBox. While the vulnerability is contained within VirtualBox, attacks may significantly impact additional products due to scope change. The vulnerability affects the confidentiality, integrity, and availability of the system, potentially allowing attackers to execute arbitrary code in the context of the hypervisor (Oracle CPU, ZDI).

Oracle has released security patches to address this vulnerability as part of their October 2025 Critical Patch Update. Users are strongly advised to update their Oracle VM VirtualBox installations to the latest patched versions. The vulnerability affects versions 7.1.12 and 7.2.2, and users should apply the security updates provided by Oracle (Oracle CPU).