VirtualBox vulnerabilities: known CVEs & security history
Oracle · Virtualization · 417 tracked CVEs · 1 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all VirtualBox release lines — 417 in total, with 1 actively exploited in the wild. A CVE here doesn't mean your version is affected — check VirtualBox's current status and the safe version to run.
Known VirtualBox CVEs
Actively-exploited and most-severe first. Showing the top 80 of 417. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2019-2725⚡ exploited | critical | 9.8 | 100% | 2019 |
| CVE-2015-8104 | critical | 10 | 3% | 2015 |
| CVE-2016-5605 | critical | 9.1 | 2% | 2016 |
| CVE-2018-3294 | critical | 9 | 2% | 2018 |
| CVE-2015-0235 | high | 10 | 95% | 2015 |
| CVE-2024-21115 | high | 8.8 | 0% | 2024 |
| CVE-2024-21114 | high | 8.8 | 0% | 2024 |
| CVE-2024-21113 | high | 8.8 | 0% | 2024 |
| CVE-2024-21112 | high | 8.8 | 0% | 2024 |
| CVE-2022-39427 | high | 8.8 | 0% | 2022 |
| CVE-2020-2902 | high | 8.8 | 1% | 2020 |
| CVE-2019-3028 | high | 8.8 | 1% | 2019 |
| CVE-2019-2859 | high | 8.8 | 0% | 2019 |
| CVE-2019-2723 | high | 8.8 | 1% | 2019 |
| CVE-2019-2722 | high | 8.8 | 1% | 2019 |
| CVE-2019-2721 | high | 8.8 | 2% | 2019 |
| CVE-2019-2703 | high | 8.8 | 1% | 2019 |
| CVE-2019-2696 | high | 8.8 | 1% | 2019 |
| CVE-2019-2680 | high | 8.8 | 1% | 2019 |
| CVE-2019-2656 | high | 8.8 | 1% | 2019 |
| CVE-2019-2552 | high | 8.8 | 1% | 2019 |
| CVE-2019-2524 | high | 8.8 | 1% | 2019 |
| CVE-2019-2500 | high | 8.8 | 1% | 2019 |
| CVE-2018-2844 | high | 8.8 | 1% | 2018 |
| CVE-2018-2843 | high | 8.8 | 0% | 2018 |
| CVE-2018-2842 | high | 8.8 | 0% | 2018 |
| CVE-2018-2698 | high | 8.8 | 2% | 2018 |
| CVE-2018-2694 | high | 8.8 | 0% | 2018 |
| CVE-2017-10204 | high | 8.8 | 2% | 2017 |
| CVE-2017-10129 | high | 8.8 | 2% | 2017 |
| CVE-2017-3576 | high | 8.8 | 2% | 2017 |
| CVE-2017-3563 | high | 8.8 | 1% | 2017 |
| CVE-2017-3561 | high | 8.8 | 2% | 2017 |
| CVE-2020-2959 | high | 8.6 | 3% | 2020 |
| CVE-2018-3298 | high | 8.6 | 1% | 2018 |
| CVE-2018-3297 | high | 8.6 | 1% | 2018 |
| CVE-2018-3296 | high | 8.6 | 1% | 2018 |
| CVE-2018-3295 | high | 8.6 | 2% | 2018 |
| CVE-2018-3293 | high | 8.6 | 1% | 2018 |
| CVE-2018-3292 | high | 8.6 | 1% | 2018 |
| CVE-2018-3291 | high | 8.6 | 1% | 2018 |
| CVE-2018-3290 | high | 8.6 | 1% | 2018 |
| CVE-2018-3289 | high | 8.6 | 1% | 2018 |
| CVE-2018-3288 | high | 8.6 | 1% | 2018 |
| CVE-2018-3287 | high | 8.6 | 1% | 2018 |
| CVE-2018-2909 | high | 8.6 | 1% | 2018 |
| CVE-2018-3090 | high | 8.6 | 1% | 2018 |
| CVE-2018-3089 | high | 8.6 | 1% | 2018 |
| CVE-2018-3088 | high | 8.6 | 1% | 2018 |
| CVE-2018-3087 | high | 8.6 | 1% | 2018 |
| CVE-2018-3086 | high | 8.6 | 1% | 2018 |
| CVE-2018-2690 | high | 8.6 | 1% | 2018 |
| CVE-2018-2689 | high | 8.6 | 1% | 2018 |
| CVE-2018-2688 | high | 8.6 | 1% | 2018 |
| CVE-2018-2687 | high | 8.6 | 1% | 2018 |
| CVE-2018-2686 | high | 8.6 | 1% | 2018 |
| CVE-2018-2685 | high | 8.6 | 1% | 2018 |
| CVE-2018-3085 | high | 8.5 | 1% | 2018 |
| CVE-2017-3558 | high | 8.5 | 3% | 2017 |
| CVE-2021-2264 | high | 8.4 | 1% | 2021 |
| CVE-2017-3587 | high | 8.4 | 1% | 2017 |
| CVE-2017-3332 | high | 8.4 | 0% | 2017 |
| CVE-2017-3316 | high | 8.4 | 7% | 2017 |
| CVE-2026-21990 | high | 8.2 | 0% | 2026 |
| CVE-2026-21988 | high | 8.2 | 0% | 2026 |
| CVE-2026-21987 | high | 8.2 | 0% | 2026 |
| CVE-2026-21956 | high | 8.2 | 0% | 2026 |
| CVE-2026-21955 | high | 8.2 | 0% | 2026 |
| CVE-2025-62641 | high | 8.2 | 0% | 2025 |
| CVE-2025-62590 | high | 8.2 | 0% | 2025 |
| CVE-2025-62589 | high | 8.2 | 0% | 2025 |
| CVE-2025-62588 | high | 8.2 | 0% | 2025 |
| CVE-2025-62587 | high | 8.2 | 0% | 2025 |
| CVE-2025-53028 | high | 8.2 | 0% | 2025 |
| CVE-2025-53027 | high | 8.2 | 0% | 2025 |
| CVE-2025-53024 | high | 8.2 | 0% | 2025 |
| CVE-2024-21141 | high | 8.2 | 0% | 2024 |
| CVE-2023-22099 | high | 8.2 | 0% | 2023 |
| CVE-2023-22098 | high | 8.2 | 1% | 2023 |
| CVE-2023-21990 | high | 8.2 | 0% | 2023 |
337 older / lower-severity CVEs not shown — see VirtualBox's full record.
Is my VirtualBox version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your VirtualBox version → · Monitor VirtualBox for new CVEs →
VirtualBox vulnerabilities — frequently asked
How many known vulnerabilities does VirtualBox have?
IsItPatched tracks 417 CVEs for VirtualBox, 1 of which is actively exploited (CISA KEV). 4 are critical-severity and 197 high-severity. These span every release line — what matters is whether the version you run is affected.
Does VirtualBox have any actively-exploited vulnerabilities?
Yes — 1 VirtualBox CVE is in CISA's Known Exploited Vulnerabilities catalog, meaning it is confirmed exploited in the wild (1 linked to ransomware). Patch it as a priority.
What is the most severe VirtualBox vulnerability?
Among tracked issues, CVE-2019-2725 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a Injection weakness.
Is VirtualBox safe to use?
It depends on the version. The latest supported VirtualBox release (7.2.10) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: VirtualBox security status · VirtualBox end-of-life · actively-exploited CVEs. Always verify against Oracle's advisories — see our disclaimer.