Oracle patched two vulnerabilities in VirtualBox 6.0.4 affecting the emulated Intel HD Audio (HDA) controller used by Windows guests. CVE-2019-3002 allows a privileged attacker inside a guest to manipulate HDA stream control and related registers so that audio stream initialization hits a divide-by-zero condition, crashing the virtual machine. CVE-2019-3005 stems from a crafted stream descriptor number sent to the emulated HDA CODEC, which can detach an existing stream and leave a sink pointer NULL, leading to a host-side NULL pointer dereference when that sink is later accessed.
Both issues require the attacker to already have high-privileged code execution inside the guest and the VM to be configured with the default HDA audio controller. The flaws were reported to Oracle on 2019-09-11 and fixed in the vendor's October 2019 Critical Patch Update, with STAR Labs noting that the bugs could be triggered through guest-controlled audio stream parameters in the VirtualBox HDA implementation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Oracle issued fixes for the two VirtualBox vulnerabilities on 2019-10-20 and published them as part of its October 2019 Critical Patch Update. The patched flaws affected the default HDA audio controller configuration used by Windows guests in VirtualBox 6.0.4.
STAR Labs submitted reports to Oracle for CVE-2019-3002 and CVE-2019-3005, both affecting the emulated Intel HD Audio controller in Oracle VirtualBox 6.0.4. The issues could let a privileged guest user trigger host-side crashes via divide-by-zero and NULL pointer dereference conditions.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.