CVE-2026-44008 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.… | CVSS 9.8 CRITICAL

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.

Metadata

CVE ID: CVE-2026-44008
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-04 21:24 UTC
Published: 2026-05-13 17:35 UTC
Last updated: 2026-05-15 03:55 UTC
Primary CWE: CWE-668
CWE-668: Exposure of Resource to Wrong Sphere
Vendor / Product: patriksimek / vm2
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
patriksimek	vm2	—	< 3.11.2

Weakness (CWE)

CWE	Source	Description
CWE-668	cna	CWE-668: Exposure of Resource to Wrong Sphere

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq