CVE-2026-44001
published 2026-05-13CVE-2026-44001: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host…
PriorityP348high8.6CVSS 3.1
AVNACLPRNUINSCCNINAH
EPSS
0.45%
35.8th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| vm2_project | vm2 | < 3.11.0 | 3.11.0 |
| vm2_project | vm2 | >= 0 < 3.11.0 | 3.11.0 |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
ghsa10.0CRITICAL
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vm2: vm2: Sandbox escape leads to Denial of Service
vendor_redhat·2026-05-13·CVSS 10.0
CVE-2026-44001 [CRITICAL] CWE-248 vm2: vm2: Sandbox escape leads to Denial of Service
vm2: vm2: Sandbox escape leads to Denial of Service
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.
A flaw was found in vm2 (before 3.11.0). Sandboxed code can crash the host Node.js process via a Promise constructor that triggers an unhandled rejection propagating to the host; the CVE-2026-22709 fix only sanitized .then()/.catch() callbacks, not the executor path. Fixe
GHSA
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
ghsa·2026-05-07·CVSS 10.0
CVE-2026-44001 [CRITICAL] CWE-248 vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
### Summary
A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the `onRejected` callback in `.then()` and `.catch()` overrides and did not address the executor-to-unhandledRejection path.
### Details
When sandboxed code creates a `Promise` whose executor sets `Error.name` to a `Symbol()` and then accesses `.stack`, V8's internal `FormatStackTrace` (C++) attempts `Symbol.toString()`, which throws a **host-realm TypeError**. Because this error originates inside the Promise executor and no `.catch()` hand
No detection rules found.
No public exploits indexed.
https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjhhttps://access.redhat.com/security/cve/CVE-2026-44001https://bugzilla.redhat.com/show_bug.cgi?id=2477208https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjhhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44001.json
2026-05-13
Published