Cyber Resilience

CVE-2026-26332

CriticalPublic PoCRCEUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0058 43.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26332 is a critical-severity Code Injection (CWE-94) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26332 is a critical vulnerability in vm2, an open source virtual machine and sandbox implementation for Node.js. Prior to version 3.11.0, the SuppressedError mechanism allows attackers to escape the sandbox confines and execute arbitrary code on the host system. The issue is associated with CWE-94 (code injection) and CWE-693 (protection mechanism failure), earning a CVSS v3.1 base score of 9.8.

The vulnerability enables remote exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N), no user interaction (UI:N), and resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) under an unchanged scope (S:U). Any unauthenticated attacker able to trigger vm2 sandbox execution, such as through untrusted input in Node.js applications using the library for code isolation, can break out and run arbitrary code with the privileges of the hosting process.

The vulnerability has been patched in vm2 version 3.11.0. Security advisories and release notes on GitHub, including GHSA-55hx-c926-fr95 and the v3.11.0 release tag, detail the fix and recommend upgrading immediately to mitigate the sandbox escape risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

CVE enables remote unauthenticated arbitrary code execution via sandbox escape in a Node.js library (CWE-94), directly mapping to exploitation of exposed applications and JavaScript command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24781Same product: Vm2 Project Vm2
CVE-2026-43997Same product: Vm2 Project Vm2
CVE-2026-26956Same product: Vm2 Project Vm2
CVE-2026-24118Same product: Vm2 Project Vm2
CVE-2026-24120Same product: Vm2 Project Vm2
CVE-2026-22709Same product: Vm2 Project Vm2
CVE-2026-43999Same product: Vm2 Project Vm2
CVE-2026-44006Same product: Vm2 Project Vm2
CVE-2026-44005Same product: Vm2 Project Vm2
CVE-2026-44000Same product: Vm2 Project Vm2

Affected Assets

vm2 project
vm2
≤ 3.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely remediation of identified flaws, directly addressing CVE-2026-26332 by requiring patching of vm2 to version 3.11.0.

preventdetect

RA-5 requires vulnerability scanning of system components and dependencies, enabling early detection and remediation of the vm2 sandbox escape vulnerability.

prevent

SC-50 enforces robust software-based separation and policy mechanisms, mitigating sandbox escape risks like SuppressedError in vm2 by requiring verified isolation.

References