Researchers disclosed two Oracle VirtualBox vulnerabilities in the VirtualBox Video Acceleration (VBVA) component that could let an attacker escape from a guest VM and execute code in the host VirtualBox process. The flaws, tracked as CVE-2020-2682 and CVE-2020-2758, affected the HGSMI-exposed graphics path used by guest systems, making the vulnerable functionality reachable from inside a virtual machine when video acceleration features were enabled.
CVE-2020-2682 was an out-of-bounds access caused by using a guest-controlled surface handle as an index without effective bounds enforcement in release builds, while CVE-2020-2758 was a use-after-free tied to stale VGA surface pointers during guest-triggerable display resize operations. In both cases, crafted VBVA commands could corrupt memory in the host-side VirtualBox process and potentially achieve privilege escalation or full VM escape. Oracle addressed the issues in its January 2020 and April 2020 Critical Patch Update advisories, respectively.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
STAR Labs publicly disclosed the VirtualBox VHWA use-after-free privilege-escalation and VM escape vulnerability on 2020-04-30.
Oracle fixed CVE-2020-2758 in its April 2020 Critical Patch Update advisory for VirtualBox.
STAR Labs disclosed the Oracle VirtualBox VHWA use-after-free vulnerability later assigned CVE-2020-2758 to the vendor through ZDI on 2020-03-03.
Details of the VirtualBox VBoxVHWAHandleTable out-of-bounds access privilege-escalation issue were publicly disclosed in January 2020.
Oracle addressed CVE-2020-2682 in its January 2020 Critical Patch Update advisory for VirtualBox.
Oracle verified the reported VirtualBox VBVA flaw in October 2019 as part of coordinated disclosure for CVE-2020-2682.
STAR Labs reported the Oracle VirtualBox VBVA out-of-bounds access vulnerability later assigned CVE-2020-2682 to ZDI in September 2019.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
starlabs.sg
Open sourcestarlabs.sg
Open sourcestarlabs.sg
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.