## https://sploitus.com/exploit?id=6A6412FB-9FCD-53BB-BA01-3B1C5BBF56FE
# CVE-2026-35250
my firstever cve is a 2.3
- Integer Overflow on DevVGA_VBVA
- can cause DoS from privileged guest
- AI-assisted finding and PoC is completely written by AI
Problem is at `src/VBox/Devices/Graphics/DevVGA_VBVA.cpp:740-743` ASSERT_GUEST_MSG_RETURN where dimensions check uses `||` (OR) instead of `&&` (AND). A guest can supply `width=0x80000001, height=16` and the check passes because `height <= 2048`. Then on lines 745-746:
```c
cbPointerData = ((((SafeShape.u32Width + 7) / 8) * SafeShape.u32Height + 3) & ~3)
+ SafeShape.u32Width * 4 * SafeShape.u32Height;
```
The subsequent check at line 748 (`cbPointerData <= cbShape - 24`) passes with the truncated value (80 <= 104). The host allocates 80 bytes via `RTMemAlloc`, copies 80 bytes from guest VRAM, then passes dimensions 2,147,483,649 ร 16 with an 80-byte buffer to `pfnVBVAMousePointerShape`, which processes the cursor shape using the huge dimensions.
host is computing AND mask scanline width from the overflowed dimensions and reading past the 80-byte heap buffer.
Crash 1 โ NULL pointer WRITE (GUI display thread):
```
ExceptionCode=0xc0000005 ExceptionAddress=VirtualBoxVM.dll+0x000267a2
ExceptionInformation[0]=1 (WRITE) ExceptionInformation[1]=0x0000000000000000 (NULL)
rsi=0x80000001 (POISON_WIDTH) r13=0x10 (POISON_HEIGHT=16) rcx=0x0 (NULL dest)
```
Crash 2 โ Heap over-READ (EMT/main thread):
```
ExceptionCode=0xc0000005 ExceptionAddress=VBoxC.dll+0x000d1194
ExceptionInformation[0]=0 (READ) ExceptionInformation[1]=0x00000263cefe8fd0
rax=0x80000001 (POISON_WIDTH) r12=0x10000001 ((WIDTH+7)/8 = AND scanline width)
r13=0x10 (POISON_HEIGHT=16) r8=0x80000001 (POISON_WIDTH)
```
Since host is 64-bit, I don't think it is an exploitable issue. For "exploit", do this on guest:
```bash
# Guest: build and load
cd /path/to/poc
make
sudo insmod gfx1_exploit.ko
```