cbcvebase.
CVE-2026-26332
published 2026-05-04

CVE-2026-26332: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This…

PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.71%
48.9th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Affected

5 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.03.11.0
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.11.03.11.0
vm2_projectvm2>= 0 < 3.11.03.11.0

Detection & IOCsextracted from sources · hover to see the quote

  • Sandbox escape is triggered via exploitation of the `SuppressedError` mechanism in vm2, causing rejection callbacks to be handled on the host side instead of within sandbox isolation — monitor for unexpected code execution originating from vm2 sandbox contexts
  • Any Node.js process running vm2 versions prior to 3.11.0 is vulnerable; detect outdated vm2 package versions in deployed environments
  • Review the two upstream fixing commits to understand the exact code paths changed and build targeted code-level detections or audit rules around SuppressedError handling in vm2
  • ·Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) is NOT affected because vm2 is only a development dependency and the vulnerable code path cannot be reached by an adversary — do not prioritize patching in that context
  • ·The Self-service automation portal 2 package (ansible-automation-platform/automation-portal) IS confirmed affected and should be prioritized for patching to vm2 >= 3.11.0

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.