Cyber Resilience

CVE-2026-24118

CriticalPublic PoCRCEUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0092 55.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24118 is a critical-severity Code Injection (CWE-94) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 44.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-24118 is a sandbox breakout vulnerability in vm2, an open-source virtual machine and sandbox library for Node.js. Versions prior to 3.11.0 are affected, enabling attackers to craft code that escapes the VM2 sandbox isolation and executes arbitrary commands on the host system. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-693 (Protection Mechanism Failure), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any remote attacker can exploit this vulnerability by supplying malicious code to be executed within a VM2 sandbox instance, requiring no privileges, user interaction, or special conditions due to its network accessibility and low attack complexity. Successful exploitation allows full compromise of the host system, providing high-impact unauthorized access to read, modify, or destroy data (confidentiality, integrity) and disrupt services (availability).

The vulnerability has been patched in vm2 version 3.11.0. Mitigation involves upgrading to this version or later, as detailed in the GitHub security advisories (GHSA-grj5-jjm8-h35p), patch commits (2b5f3e3a060d9088f5e1cdd585d683d491f990a3 and f9b700b1c7d9ef2df416666cb24e0b659140cc74), and release notes for v3.11.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.…

more

This issue has been patched in version 3.11.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Sandbox escape via code injection (CWE-94) directly enables arbitrary command execution on host via JavaScript (T1059.007) and host compromise/privilege escalation from restricted context (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22709Same product: Vm2 Project Vm2
CVE-2026-24781Same product: Vm2 Project Vm2
CVE-2026-44005Same product: Vm2 Project Vm2
CVE-2026-26332Same product: Vm2 Project Vm2
CVE-2026-24120Same product: Vm2 Project Vm2
CVE-2026-44009Same product: Vm2 Project Vm2
CVE-2026-43998Same product: Vm2 Project Vm2
CVE-2026-45411Same product: Vm2 Project Vm2
CVE-2026-44006Same product: Vm2 Project Vm2
CVE-2026-44000Same product: Vm2 Project Vm2

Affected Assets

vm2 project
vm2
≤ 3.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the vm2 sandbox breakout vulnerability in versions prior to 3.11.0 to prevent arbitrary command execution on the host.

prevent

Enforces process isolation to prevent sandbox escape vulnerabilities like CVE-2026-24118 where attackers breakout from vm2 to execute host commands.

prevent

Requires secure isolation and policies for mobile code execution, mitigating risks from vulnerable sandboxes such as vm2 used for untrusted Node.js code.

References