CVE-2026-44004
published 2026-05-13CVE-2026-44004: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.42%
34.0th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit. This vulnerability is fixed in 3.11.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| patriksimek | vm2 | < 3.11.0 | 3.11.0 |
| rhdh | rhdh-hub-rhel9 | — | — |
| vm2_project | vm2 | < 3.11.0 | 3.11.0 |
| vm2_project | vm2 | >= 0 < 3.11.0 | 3.11.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
patriksimek vm2 up to 3.10.x Buffer.alloc allocation of resources (GHSA-6785-pvv7-mvg7)
vuldb·2026-05-13·CVSS 7.5
CVE-2026-44004 [HIGH] patriksimek vm2 up to 3.10.x Buffer.alloc allocation of resources (GHSA-6785-pvv7-mvg7)
A vulnerability, which was classified as problematic, was found in patriksimek vm2 up to 3.10.x. The affected element is the function Buffer.alloc. The manipulation results in allocation of resources.
This vulnerability is identified as CVE-2026-44004. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
ghsa·2026-05-07
CVE-2026-44004 [HIGH] CWE-770 vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
### Summary
Sandboxed code can call `Buffer.alloc()` with an arbitrary size to allocate memory directly on the host heap. Because `Buffer.alloc` is a synchronous C++ native call, vm2's `timeout` option cannot interrupt it. A single request can exhaust host memory and crash the process with a `FATAL ERROR: Reached heap limit`.
### Details
In `lib/vm.js:58`, `Buffer` is exposed to the sandbox through the `HOST` object. The bridge proxy (`lib/bridge.js`) passes `Buffer.alloc()` calls to the host without any size validation.
Key technical distinction from regular JavaScript memory exhaustion (e.g., `while(true) a.push(...)`):
- **JavaScript loops**: V8 can interrupt via timeout — vm2's `timeout` opt
Red Hat
vm2: vm2: Denial of Service via host memory exhaustion
vendor_redhat·2026-05-13·CVSS 7.5
CVE-2026-44004 [HIGH] CWE-1285 vm2: vm2: Denial of Service via host memory exhaustion
vm2: vm2: Denial of Service via host memory exhaustion
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit. This vulnerability is fixed in 3.11.0.
A flaw was found in vm2 (before 3.11.0). Sandboxed code can call Buffer.alloc() with arbitrary size to allocate on the host heap synchronously; vm2 timeout cannot interrupt the native C++ call, allowing a single request to exhaust host memory and crash the process. Fixed in 3.11.0.
Statement: vm2 is vulnerable to denial of service
No detection rules found.
No public exploits indexed.
https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7https://access.redhat.com/security/cve/CVE-2026-44004https://bugzilla.redhat.com/show_bug.cgi?id=2477195https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44004.json
2026-05-13
Published