Oracle has released a new version of its virtualization system, Virtualbox 7.1.12, which includes 11 changes and addresses 7 vulnerabilities. Among these vulnerabilities, three are considered the most serious with a danger level of 8.2 out of 10:
- CVE-2025-53024 – an integer overflow in the implementation of the virtual device VMSVGA, allowing privileged users of the guest system to execute code at the hypervisor level and gain access to the host.
- CVE-2025-53027 – improper use of locks in the implementation of the OHCI USB virtual controller, enabling guest system manipulations to execute code at the hypervisor level.
- CVE-2025-53028 – buffer overflow in the implementation of the virtual device VMSVGA, allowing the guest system to achieve code execution at the hypervisor level.
Other vulnerabilities addressed include CVE-2025-53025. In addition to security updates, Virtualbox 7.1.12 also includes non-security related changes, such as support for Linux 6.16 kernels, and fixes for issues with Linux 3.10 kernels in guest systems. Updates have also been made for hosts based on Linux, including fixes for network bridges with IXGBE drivers and improvements in virtual machine management. Furthermore, improvements have been made for Windows hosts, such as better driver installation and support for AVX/AVX2 instructions in guest systems when using the Hyper-V hypervisor.
One specific issue that has been resolved in this release is the problem regarding the inability to launch guest systems with Windows when screen recording is enabled in the settings.