Vulnerability to VirtualBox operated through RDP protocol

A vulnerability has been revealed in the virtualization system of VirtualBox, allowing a remote user to execute code at the hostess level. The vulnerability, identified as CVE-2023-22018, was discovered in certain configurations where an unauthorized user with network access to the Remote Desktop Protocol (RDP) service can exploit it. The details of this vulnerability can be found here.

The vulnerability stems from an error in processing requests for accessing USB devices. Due to a lack of verification of the amount of transmitted data, an attacker could exceed the buffer’s allocated space, resulting in a potential buffer overflow. It should be noted that this vulnerability has been discreetly addressed and resolved with the releases of VirtualBox 6.1.46 and 7.0.10. For more information on the fix, please refer to this link.

/Reports, release notes, official announcements.