CVE-2026-24120

CriticalPublic PoCRCE

Published: 04 May 2026

Published

04 May 2026

Modified

08 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24120 is a critical-severity Code Injection (CWE-94) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, testing, and deployment of patches for vm2 to version 3.10.5, directly eliminating the sandbox escape vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Mandates vulnerability scanning to identify CVE-2026-24120 in vm2 deployments and subsequent risk-based remediation, preventing exploitation.

CM-10 Software Usage Restrictions partial match

prevent

Enforces deny-all-permit-by-exception policy to block execution of vulnerable vm2 versions, mitigating sandbox escape risk.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Sandbox escape in vm2 directly enables remote arbitrary command execution on the host (T1059), via exploitation of a public-facing sandboxed application (T1190) and serves as a privilege escalation vector by breaking isolation boundaries (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the…

host system. This issue has been patched in version 3.10.5.

Deeper analysisAI

CVE-2026-24120 affects vm2, an open-source virtual machine and sandbox for Node.js applications. In versions prior to 3.10.5, the patch for the prior vulnerability CVE-2023-37466 proves insufficient and can be bypassed. This allows attackers to craft code that escapes the VM2 sandbox confines, enabling execution of arbitrary commands directly on the host system. The issue is classified under CWE-94 (code injection) and CWE-693 (protection mechanism failure), with a CVSS v3.1 base score of 9.8.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, specifically by breaking out of the sandbox to run arbitrary host commands, potentially leading to full system compromise in environments relying on vm2 for code isolation.

The vm2 project has addressed this in version 3.10.5, as detailed in the release notes and GitHub security advisory GHSA-qvjj-29qf-hp7p. Security practitioners should prioritize upgrading affected Node.js applications using vm2 to at least version 3.10.5 to mitigate the sandbox escape risk.

Details

CWE(s): CWE-94 CWE-693

Affected Products

vm2 project

vm2

≤ 3.10.5

CVEs Like This One

CVE-2026-24781Same product: Vm2 Project Vm2

CVE-2026-24118Same product: Vm2 Project Vm2

CVE-2026-26332Same product: Vm2 Project Vm2

CVE-2026-22709Same product: Vm2 Project Vm2

CVE-2026-26956Same product: Vm2 Project Vm2

CVE-2026-43997Same product: Vm2 Project Vm2

CVE-2026-44000Same product: Vm2 Project Vm2

CVE-2026-44006Same product: Vm2 Project Vm2

CVE-2026-44005Same product: Vm2 Project Vm2

CVE-2026-44007Same product: Vm2 Project Vm2

References

https://github.com/patriksimek/vm2/releases/tag/v3.10.5
Release Notes · security-advisories@github.com
https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0