CRITICAL🇵🇱 Wersja polska

CVE-2026-26332

CVSS 9.8v3.1pub. 2026-05-04upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of the SuppressedError mechanism, which allows an attacker to bypass sandbox protections (CWE-693 — Protection Mechanism Failure). By passing specially crafted code to vm2, an attacker can escape the isolated execution environment and gain access to the host Node.js context. This mechanism is also classified as CWE-94 — Code Injection, as the result is the ability to inject and execute arbitrary code at the level of the underlying system.

Impact

An attacker can escape the vm2 sandbox and execute arbitrary code in the context of the host Node.js process, which can potentially lead to complete server takeover, data disclosure, or service disruption.

Mitigation & patch

Update the vm2 library to version 3.11.0 or later, in which the vulnerability has been fixed. Details available in the vendor references: https://github.com/patriksimek/vm2/releases/tag/v3.11.0

Who is affected

Vm2 Project vm2 in all versions before 3.11.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)