CyberSec.Space Logo
Back to CVE Browser

CVE-2008-3431

Known Exploited (CISA KEV)HIGH
8.8
CVSS Severity Score
EPSS Score75.6600%
EPSS Percentile95.13th
PublishedAug 5, 2008
Last ModifiedApr 22, 2026

Vulnerability Description

The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.

Affected Platforms (CPE)

πŸ“¦
Oracle

Virtualbox

< 1.6.4

References & Advisories

πŸ”— http://secunia.com/advisories/31361
πŸ”— http://securityreason.com/securityalert/4107
πŸ”— http://securitytracker.com/id?1020625
πŸ”— http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1
πŸ”— http://virtualbox.org/wiki/Changelog
πŸ”— http://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerability
πŸ”— http://www.securityfocus.com/archive/1/495095/100/0/threaded
πŸ”— http://www.securityfocus.com/bid/30481

Related Vulnerabilities

CVE-2020-61009.9

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. A specially crafted p...

CVE-2016-56059.1

Unspecified vulnerability in the Oracle VM VirtualBox component before 5.1.4 in Oracle Virtualization allows remote attackers to a...

CVE-2018-32949.0

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is a...

CVE-2019-25248.8

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are aff...