CVE-2026-26332
Published: 04 May 2026
Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Implements a reliable, tamperproof protection mechanism whose completeness can be assured.
Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.
Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.
Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.
Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes.
The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.
Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail.
Impact analysis identifies changes that could weaken or disable existing protection mechanisms.
Security SummaryAI
CVE-2026-26332 is a critical vulnerability in vm2, an open source virtual machine and sandbox implementation for Node.js. Prior to version 3.11.0, the SuppressedError mechanism allows attackers to escape the sandbox confines and execute arbitrary code on the host system. The issue is associated with CWE-94 (code injection) and CWE-693 (protection mechanism failure), earning a CVSS v3.1 base score of 9.8.
The vulnerability enables remote exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N), no user interaction (UI:N), and resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) under an unchanged scope (S:U). Any unauthenticated attacker able to trigger vm2 sandbox execution, such as through untrusted input in Node.js applications using the library for code isolation, can break out and run arbitrary code with the privileges of the hosting process.
The vulnerability has been patched in vm2 version 3.11.0. Security advisories and release notes on GitHub, including GHSA-55hx-c926-fr95 and the v3.11.0 release tag, detail the fix and recommend upgrading immediately to mitigate the sandbox escape risk.
Details
- CWE(s)