返回 CVE 浏览器

CVE-2008-3431

Known Exploited (CISA KEV)HIGH

8.8

CVSS Severity Score

EPSS Score75.6600%

EPSS Percentile95.13th

Published2008年8月5日

Last Modified2026年4月22日

Vulnerability Description

The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.

Affected Platforms (CPE)

📦

Oracle

Virtualbox

< 1.6.4

References & Advisories

🔗 http://secunia.com/advisories/31361

🔗 http://securityreason.com/securityalert/4107

🔗 http://securitytracker.com/id?1020625

🔗 http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1

🔗 http://virtualbox.org/wiki/Changelog

🔗 http://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerability

🔗 http://www.securityfocus.com/archive/1/495095/100/0/threaded

🔗 http://www.securityfocus.com/bid/30481

相关漏洞威胁

CVE-2020-61009.9

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. A specially crafted p...

CVE-2016-56059.1

Unspecified vulnerability in the Oracle VM VirtualBox component before 5.1.4 in Oracle Virtualization allows remote attackers to a...

CVE-2018-32949.0

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is a...

CVE-2019-25248.8

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are aff...