cbcvebase.
CVE-2026-44008
published 2026-05-13

CVE-2026-44008: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.85%
53.6th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.

Affected

5 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.23.11.2
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.11.23.11.2
vm2_projectvm2>= 0 < 3.11.23.11.2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable method `neutralizeArraySpeciesBatch` in vm2 can be triggered by a getter on the array prototype from within the sandbox, exposing host-side objects including the host Function object — monitor sandboxed code submissions that manipulate Array.prototype getters or species properties.
  • Exploitation allows escape from the VM2 sandbox and arbitrary command execution on the host; monitor for unexpected child process spawning or shell execution originating from Node.js processes running vm2 prior to version 3.11.2.
  • A remote unauthenticated attacker who can submit sandboxed code may escape the sandbox — treat any externally-supplied code executed via vm2 < 3.11.2 as a high-risk vector and alert on network-originated code submissions to vm2-backed services.
  • ·The vulnerability exists specifically in vm2 versions prior to 3.11.2; the fix is to upgrade to 3.11.2 or later. Verify the installed vm2 version in Node.js environments to determine exposure.
  • ·Red Hat packages rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) and ansible-automation-platform/automation-portal (Self-service automation portal 2) were listed as under investigation at time of publication — patch status may have changed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.