CVE-2026-44001

8.6 HIGH

vm2 is an open source vm/sandbox for Node.js

Published: 2026-05-13 · Last updated: 2026-05-18

Severity and scoring

CVSS: 8.6 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-248

Affected products

Vendor	Product
vm2_project	vm2

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44001
[Vendor advisory]https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh
[Vendor advisory]https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh

Related CVEs

Same CWE

CVE-2026-46689 — Kanidm is an identity management platform
CVE-2026-46545 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (7.5 HIGH)
CVE-2026-46411 — FlashMQ is a MQTT broker/server, designed for multi-CPU environments (6.5 MEDIUM)
CVE-2026-45685 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (7.5 HIGH)
CVE-2026-45676 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (5.5 MEDIUM)