Oracle published a corrective release of the virtualization system Virtualbox 7.0.16, which includes 15 corrections. The new version also eliminates 13 vulnerabilities, with 7 being classified as dangerous (four with a hazard level of 8.8 out of 10, and three with a level of 7.8 out of 10).
While specific details about the vulnerabilities are not disclosed, the severity levels indicate that they could potentially allow unauthorized access to the host system from guest systems. Two vulnerabilities are specific to Linux hosts, while the other two are Windows-specific. Notably, one vulnerability enables remote attacks via HTTP without authentication, although it is rated at 5.9 out of 10 due to its operational complexity.
The main changes in Virtualbox 7.0.16 include:
- Inclusion of initial support for the Linux 6.9 kernel in both host and guest systems, as well as support for kernel 6.8 in guest systems.
- Ability to prevent automatic loading of kernel modules on Linux hosts and guests by setting the parameter Mod_NAME.Disabled = 1 in the kernel command line.
- Resolution of issues related to Linux kernel module compilation using the GCC 13.2 compiler on Linux hosts.
- Solving issues in Linux hosts with the detection of VboxSSVC IPC conflicts in the starting script vbox.sh when using the SUDO utility to start virtual machines.
- Warnings related to UBSAN and MK_PTE support in Linux-based host and guest systems.
- Enhancements related to graphics in Windows-based guest systems.
- Resolution of performance degradation issues in virtual machines on MacOS hosts caused by App Nap.
- Streamlined launch of nested guest systems using a KVM hypervisor on Intel CPU-based hosts.
- Fix for unexpected VM shutdowns on certain new AMD CPUs.
- Resolution of USB driver issues with EHCI