What is CVE-2026-26956?

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and r...

How severe is CVE-2026-26956?

CVE-2026-26956 is rated critical severity with a CVSS score of 9.8 out of 10.

What products are affected by CVE-2026-26956?

CVE-2026-26956 affects Vm2 Project Vm2. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-26956?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

vm2 sandbox full RCE escape (CVE-2026-26956)

Patch now - CVE-2026-26956 is a critical sandbox escape in vm2 3.10.4 that lets attacker code inside the sandbox execute arbitrary commands on the host system with zero host cooperation. Patched in vm2 3.10.5 - upgrade immediately.

Overview

CVE-2026-26956 affects vm2 version 3.10.4, a popular JavaScript sandbox library for Node.js applications. An attacker who can execute code inside the sandbox via VM.run() can fully escape the sandbox environment, obtain the host Node.js process object, and run arbitrary operating system commands on the host machine. The vulnerability requires no authentication, no user interaction, and no cooperation from the host application.

With a CVSS score of 9.8 (Critical), this sandbox escape effectively nullifies the security guarantees that vm2 is designed to provide. Any application using vm2 3.10.4 to run untrusted JavaScript code is fully compromised if an attacker can supply sandboxed code.

Impact

Successful exploitation gives an attacker complete control over the affected system. Once the sandbox is escaped, the attacker can:

Execute arbitrary commands as the Node.js process user
Read, modify, or delete any file accessible to the process
Access environment variables, secrets, and database credentials
Install persistent backdoors or malware
Move laterally within the network from the compromised host

Remediation

Upgrade to vm2 version 3.10.5, which contains the fix for CVE-2026-26956. The patch is available through npm (npm install vm2@3.10.5). There are no effective mitigations short of upgrading - do not rely on input sanitization or network segmentation as compensating controls, as the sandbox escape itself requires only code execution within the VM context.

If an immediate upgrade is not possible, temporarily suspend any use of vm2 in production environments until the patch can be applied.

Security Insight

This vulnerability repeats a pattern that has plagued sandbox libraries for years: the inherent difficulty of fully isolating JavaScript environments from the host runtime. Node.js’s rich prototype chain and access to internal objects create a large attack surface that is nearly impossible to lock down completely. Organizations should treat vm2 (and similar sandboxing libraries) as defense-in-depth, not as a security boundary, and should never rely on them to contain malicious code from untrusted sources. Consider alternative isolation approaches such as separate processes, containers, or WebAssembly-based sandboxes for high-security workloads.

For the latest data breach reports, see breach reports. For ongoing cybersecurity news, visit security news.

vm2 sandbox full RCE escape (CVE-2026-26956)

Overview

Impact

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Other Vm2 Project Vm2 Vulnerabilities

Overview

Impact

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Other Vm2 Project Vm2 Vulnerabilities

Never Miss a Critical Alert