CVE-2026-26956
Published: 04 May 2026
Description
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue…
more
has been patched in version 3.10.5.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Implements a reliable, tamperproof protection mechanism whose completeness can be assured.
Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.
Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.
Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.
Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes.
The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.
Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail.
Impact analysis identifies changes that could weaken or disable existing protection mechanisms.
Security SummaryAI
CVE-2026-26956 affects vm2, an open source virtual machine and sandbox for Node.js, specifically in version 3.10.4. The vulnerability enables a full sandbox escape, allowing arbitrary code execution on the host system. An attacker running malicious code within VM.run() can obtain a reference to the host process object and execute host commands without any cooperation from the host environment. The issue is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-693 (Protection Mechanism Failure).
Any remote attacker with the ability to supply code executed via VM.run() can exploit this vulnerability without privileges, user interaction, or special conditions. Successful exploitation grants full access to the host process, enabling arbitrary command execution with the privileges of the Node.js process running vm2. This bypasses the intended sandbox isolation, potentially leading to complete host compromise, including data theft, persistence, or further lateral movement.
The vulnerability has been patched in vm2 version 3.10.5, as detailed in the project's release notes and security advisory. Security practitioners should immediately upgrade to version 3.10.5 or later and review deployments using vm2 3.10.4 for potential exposure. Relevant resources include the GitHub release at https://github.com/patriksimek/vm2/releases/tag/v3.10.5 and the security advisory at https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66.
Details
- CWE(s)