ZDI 2026-04-28

ZDI-26-306: Oracle VirtualBox SoundBlaster 16 Race Condition Local Privilege Escalation Vulnerability

CVE-2026-35230

Machine-generated analysis · WAYSCloud LLM

The vulnerability requires a local attacker to already have high-privileged code execution on the guest system. The ZDI assigned a CVSS rating of 7.5 for this issue.

Context

Oracle VirtualBox's SoundBlaster 16 component is affected by a race condition vulnerability. The source describes a local privilege escalation vulnerability. The advisory notes that exploitation requires prior high-privileged code execution on the guest.

Operator considerations

The source does not provide enough basis for specific operator guidance.

From Zero Day Initiative ↗

This vulnerability allows local attackers to escalate privileges on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2026-35230.

Read the full advisory on ZDI →