CVE-2026-24120
Code Execution Escape in vm2 Sandbox
Publication date: 2026-05-04
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patriksimek | vm2 | to 3.10.5 (exc) |
| patriksimek | vm2 | 3.10.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in vm2, an open source virtual machine and sandbox for Node.js. Before version 3.10.5, a previous fix for CVE-2023-37466 was not sufficient and could be bypassed by attackers. This allows them to write code that escapes the vm2 sandbox and execute arbitrary commands on the host system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to break out of the sandbox environment and run arbitrary commands on the host system. This can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and potential further exploitation of the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade vm2 to version 3.10.5 or later, as this version contains the patch that fixes the issue allowing sandbox escape and arbitrary command execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-24120 allows attackers to escape the vm2 sandbox and execute arbitrary commands on the host system, resulting in full compromise of system confidentiality, integrity, and availability.
Such a severe security flaw can lead to unauthorized access to sensitive data and disruption of services, which may cause non-compliance with common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.
Therefore, if a system uses vulnerable versions of vm2, it risks violating these regulations due to potential data breaches and loss of control over protected data.