CRITICAL🇵🇱 Wersja polska

CVE-2026-26956

CVSS 9.8v3.1pub. 2026-05-04upd. 2026-06-30

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

🤖 AI Analysis
How it works

Code executed within the isolated vm2 environment through the VM.run() function is able to gain access to the host process object. This enables the execution of arbitrary system commands directly on the host machine, completely bypassing sandbox isolation mechanisms. The vulnerability requires no privileges or user interaction, and the attack vector is network-based.

Impact

An attacker gains full control over the host process, enabling arbitrary code execution (RCE), data theft, system modification, or further lateral movement in the network.

Mitigation & patch

The vm2 library must be updated to version 3.10.5, in which the vulnerability has been patched. Details are available in the vendor references: https://github.com/patriksimek/vm2/releases/tag/v3.10.5

Who is affected

vm2 in version 3.10.4 (Vm2 Project Vm2)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.10.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)