Cyber Resilience

CVE-2026-44001

HighPublic PoCUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0045 35.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44001 is a high-severity Uncaught Exception (CWE-248) vulnerability in Vm2 Project Vm2. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to…

more

the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Sandbox escape enables host process crash via unhandled exception, directly mapping to application exploitation for DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44004Same product: Vm2 Project Vm2
CVE-2026-44005Same product: Vm2 Project Vm2
CVE-2026-44000Same product: Vm2 Project Vm2
CVE-2026-26332Same product: Vm2 Project Vm2
CVE-2026-43997Same product: Vm2 Project Vm2
CVE-2026-24118Same product: Vm2 Project Vm2
CVE-2026-44008Same product: Vm2 Project Vm2
CVE-2026-43998Same product: Vm2 Project Vm2
CVE-2026-43999Same product: Vm2 Project Vm2
CVE-2026-24781Same product: Vm2 Project Vm2

Affected Assets

vm2 project
vm2
≤ 3.11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-248

Prevents abrupt termination from uncaught exceptions by requiring a defined, preserved-state failure mode.

addresses: CWE-248

Requires pre-defined safe responses for uncaught exceptions so they do not result in undefined or insecure program termination.

References