Share
## https://sploitus.com/exploit?id=6A6412FB-9FCD-53BB-BA01-3B1C5BBF56FE
# CVE-2026-35250
my firstever cve is a 2.3 


- Integer Overflow on DevVGA_VBVA
- can cause DoS from privileged guest
- AI-assisted finding and PoC is completely written by AI


Problem is at `src/VBox/Devices/Graphics/DevVGA_VBVA.cpp:740-743` ASSERT_GUEST_MSG_RETURN where dimensions check uses `||` (OR) instead of `&&` (AND). A guest can supply `width=0x80000001, height=16` and the check passes because `height <= 2048`. Then on lines 745-746:

```c
cbPointerData = ((((SafeShape.u32Width + 7) / 8) * SafeShape.u32Height + 3) & ~3)
              + SafeShape.u32Width * 4 * SafeShape.u32Height;
```

The subsequent check at line 748 (`cbPointerData <= cbShape - 24`) passes with the truncated value (80 <= 104). The host allocates 80 bytes via `RTMemAlloc`, copies 80 bytes from guest VRAM, then passes dimensions 2,147,483,649 ร— 16 with an 80-byte buffer to `pfnVBVAMousePointerShape`, which processes the cursor shape using the huge dimensions.

host is computing AND mask scanline width from the overflowed dimensions and reading past the 80-byte heap buffer. 

Crash 1 โ€” NULL pointer WRITE (GUI display thread):
```
ExceptionCode=0xc0000005  ExceptionAddress=VirtualBoxVM.dll+0x000267a2
ExceptionInformation[0]=1 (WRITE)  ExceptionInformation[1]=0x0000000000000000 (NULL)
rsi=0x80000001 (POISON_WIDTH)  r13=0x10 (POISON_HEIGHT=16)  rcx=0x0 (NULL dest)
```

Crash 2 โ€” Heap over-READ (EMT/main thread):
```
ExceptionCode=0xc0000005  ExceptionAddress=VBoxC.dll+0x000d1194
ExceptionInformation[0]=0 (READ)  ExceptionInformation[1]=0x00000263cefe8fd0
rax=0x80000001 (POISON_WIDTH)  r12=0x10000001 ((WIDTH+7)/8 = AND scanline width)
r13=0x10 (POISON_HEIGHT=16)  r8=0x80000001 (POISON_WIDTH)
```

Since host is 64-bit, I don't think it is an exploitable issue. For "exploit", do this on guest:
```bash
# Guest: build and load
cd /path/to/poc
make
sudo insmod gfx1_exploit.ko
```