CVE-2026-24118
Published: 04 May 2026
Summary
CVE-2026-24118 is a critical-severity Code Injection (CWE-94) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the vm2 sandbox breakout vulnerability in versions prior to 3.11.0 to prevent arbitrary command execution on the host.
Enforces process isolation to prevent sandbox escape vulnerabilities like CVE-2026-24118 where attackers breakout from vm2 to execute host commands.
Requires secure isolation and policies for mobile code execution, mitigating risks from vulnerable sandboxes such as vm2 used for untrusted Node.js code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape via code injection (CWE-94) directly enables arbitrary command execution on host via JavaScript (T1059.007) and host compromise/privilege escalation from restricted context (T1068).
NVD Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.…
more
This issue has been patched in version 3.11.0.
Deeper analysisAI
CVE-2026-24118 is a sandbox breakout vulnerability in vm2, an open-source virtual machine and sandbox library for Node.js. Versions prior to 3.11.0 are affected, enabling attackers to craft code that escapes the VM2 sandbox isolation and executes arbitrary commands on the host system. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-693 (Protection Mechanism Failure), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any remote attacker can exploit this vulnerability by supplying malicious code to be executed within a VM2 sandbox instance, requiring no privileges, user interaction, or special conditions due to its network accessibility and low attack complexity. Successful exploitation allows full compromise of the host system, providing high-impact unauthorized access to read, modify, or destroy data (confidentiality, integrity) and disrupt services (availability).
The vulnerability has been patched in vm2 version 3.11.0. Mitigation involves upgrading to this version or later, as detailed in the GitHub security advisories (GHSA-grj5-jjm8-h35p), patch commits (2b5f3e3a060d9088f5e1cdd585d683d491f990a3 and f9b700b1c7d9ef2df416666cb24e0b659140cc74), and release notes for v3.11.0.
Details
- CWE(s)