CVE-2026-44001

HighPublic PoC

Published: 13 May 2026

Published

13 May 2026

Modified

14 May 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0004 12.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44001 is a high-severity Uncaught Exception (CWE-248) vulnerability in Vm2 Project Vm2. Its CVSS base score is 8.6 (High).

Operationally, ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-24 Fail in Known State

addresses: CWE-248

Prevents abrupt termination from uncaught exceptions by requiring a defined, preserved-state failure mode.

SI-17 Fail-safe Procedures

addresses: CWE-248

Requires pre-defined safe responses for uncaught exceptions so they do not result in undefined or insecure program termination.

NVD Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to…

the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-248

Affected Products

vm2 project

vm2

≤ 3.11.0

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh
Exploit, Vendor Advisory · security-advisories@github.com