According to the change log, the guest to host escape vulnerability with the e1000 networking driver was not fixed, or at least it is not listed as being fixed. Is this correct that it is not fixed?
Oracle has an arcane policy of not mentioning any security fixes for any of their managed products, except for once a quarter. The flaw has been fixed as of 5.2.22, but the VirtualBox devs are not allowed to mention it until sometime in January I think.
https://github.com/MorteNoir1/virtualbox_e1000_0day