CVE-2026-44009

CRITICAL

vm2: Sandbox Breakout Through Null Proto Exception

Title source: cna
STIX 2.1

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.

Scores

CVSS v3 9.8
EPSS 0.0081
EPSS Percentile 52.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-653 CWE-668
Status published
Products (3)
npm/vm2 0 - 3.11.2npm
patriksimek/vm2 < 3.11.2
vm2_project/vm2 < 3.11.2
Published May 13, 2026
Tracked Since May 13, 2026