Feed›Vulnerability›Critical vm2 sandbox bug lets attackers execute code on host...

VulnerabilityBleeping Computer

10.0 — CRITICAL

Critical vm2 sandbox bug lets attackers execute code on hosts

📅 6 May 2026 at 18:38 UTC📰 Bleeping ComputerView original source ↗

A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. [...]

🤖 AI BriefingAuto-generated threat analysis

🔍Threat Overview

A critical vulnerability in the vm2 sandbox library allows attackers to execute arbitrary code on host systems, impacting environments with Node.js 25 and enabled WebAssembly exception handling and JSTag support.

⚙️Technical Details

CVEs

CVE-2026-26956CVE-2023-30547CVE-2023-29017CVE-2022-36067Affected Systems: vm2 version 3.10.4 and earlierAttack Vectors: NETWORK

Affected Systems

vm2 version 3.10.4 and earlier

Attack Vectors

NETWORK

💥Impact Assessment

Severity: CRITICAL

Who Is at Risk

Users of vm2 with Node.js 25 and enabled WebAssembly exception handling and JSTag support

🛡️Recommended Actions

1Upgrade to vm2 version 3.10.5 or later

2Disable WebAssembly exception handling and JSTag support in environments where not necessary

3Monitor for suspicious activity and implement additional security controls

📦Affected Products

Vm2 Project Vm2vm2 Project Vm2

🔐NVD Verified DataVERIFIED

CVE-2026-26956 ↗CVSS 9.8 — CRITICAL

Attack Vector

NETWORK

Complexity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE-693

CVE-2026-22709 ↗CVSS 10 — CRITICAL

Attack Vector

NETWORK

Complexity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CWE-94CWE-913CWE-693

Affected Products (CPE)

Vm2 Project Vm2

Patches & References

🔧 https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e64…📋 https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-…

CVE-2023-30547 ↗CVSS 10 — CRITICAL

Attack Vector

NETWORK

Complexity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CWE-74

Affected Products (CPE)

Vm2 Project Vm2

Patches & References

🔧 https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931db…🔧 https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880…🔧 https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931db…📋 https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-…📋 https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-…

CVE-2023-29017 ↗CVSS 9.8 — CRITICAL

Attack Vector

NETWORK

Complexity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE-913

Affected Products (CPE)

Vm2 Project Vm2

Patches & References

🔧 https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac19452…🔧 https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac19452…📋 https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-…📋 https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-…

CVE-2022-36067 ↗CVSS 10 — CRITICAL

Attack Vector

NETWORK

Complexity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CWE-913

Affected Products (CPE)

Vm2 Project Vm2

Patches & References

🔧 https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb88…🔧 https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-…🔧 https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb88…

Read the full article

This is a curated summary. The complete article is available at Bleeping Computer.

Read on Bleeping Computer ↗

← Back to feed