ZDI-26-099: Oracle VirtualBox VMSVGA Race Condition Local Privilege Escalation Vulnerability

• Oracle VirtualBox VMSVGA race condition allows local attackers to elevate privileges to hypervisor level. • Exploit requires initial high‑privileged code execution on the guest OS. • Lack of proper locking on VMSVGA device operations creates race condition. • Attack can execute arbitrary code within hypervisor context, bypassing isolation. • Vulnerability reported to vendor on 2025‑09‑25, publicly disclosed 2026‑02‑13. • Similar VMSVGA flaws include use‑after‑free and heap‑overflow, all enabling privilege escalation.

Article Summaries:

• CVE ID | CVE-2026-21984 | CVSS SCORE | 7.5, AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | AFFECTED VENDORS | Oracle | AFFECTED PRODUCTS | VirtualBox | VULNERABILITY DETAILS | This vulnerability allows local attackers to escalate privileges on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VMSVGA device. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnera
• CVE ID | CVE-2026-21955 | CVSS SCORE | 8.2, AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | AFFECTED VENDORS | Oracle | AFFECTED PRODUCTS | VirtualBox | VULNERABILITY DETAILS | This vulnerability allows local attackers to escalate privileges on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VMSVGA device. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attack
• CVE ID | CVE-2026-21983 | CVSS SCORE | 7.5, AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | AFFECTED VENDORS | Oracle | AFFECTED PRODUCTS | VirtualBox | VULNERABILITY DETAILS | This vulnerability allows local attackers to escalate privileges on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VMSVGA device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length h

Sources:

• http://www.zerodayinitiative.com/advisories/ZDI-26-099/
• http://www.zerodayinitiative.com/advisories/ZDI-26-098/
• http://www.zerodayinitiative.com/advisories/ZDI-26-097/