DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26956: CVE-2026-26956: WebAssembly Exception Handling Sandbox Escape in vm2

#security #cve #cybersecurity

CVE-2026-26956: WebAssembly Exception Handling Sandbox Escape in vm2

Vulnerability ID: CVE-2026-26956
CVSS Score: 9.8
Published: 2026-05-05

vm2 versions 3.10.4 and below are vulnerable to a critical sandbox escape flaw resulting in unauthenticated remote code execution. Attackers can leverage Node.js v25 WebAssembly (WASM) exception handling mechanisms to bypass JavaScript-level error instrumentation and gain access to the host-realm execution context.

TL;DR

A critical sandbox escape (CVSS 9.8) in vm2 allows attackers to achieve arbitrary code execution by exploiting WebAssembly try_table and JSTag instructions to leak un-sanitized host-realm objects.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-693 (Protection Mechanism Failure)
  • Attack Vector: Network (Unauthenticated)
  • CVSS v3.1: 9.8 (Critical)
  • Impact: Remote Code Execution / Sandbox Escape
  • Exploit Status: Proof of Concept Available
  • Vulnerable Component: Error instrumentation / handleException()

Affected Systems

  • Node.js applications evaluating untrusted code
  • vm2 versions 3.10.4 and below
  • vm2: <= 3.10.4 (Fixed in: 3.10.5)

Code Analysis

Commit: 1fbdeff

Deletes WebAssembly.JSTag from the sandbox to prevent WASM from intercepting JS exceptions.

Commit: ebcfe94

Hardens lib/bridge.js by explicitly caching and blocking all code-executing constructors.

Commit: a6cd917

Implements recursive sanitization for SuppressedError types in handleException().

Commit: 57971fa

Moves bridge handler methods to closure-scoped functions to prevent exposure via util.inspect.

Mitigation Strategies

  • Upgrade vm2 to patched version 3.10.5.
  • Disable WebAssembly within the vm2 sandbox by setting 'wasm: false'.
  • Migrate to an isolate-based sandboxing library like 'isolated-vm' due to the deprecation of vm2.

Remediation Steps:

  1. Identify all projects and transitive dependencies utilizing vm2.
  2. Update the package.json to require vm2 version 3.10.5 or higher.
  3. Run 'npm install' or 'yarn install' to update the dependency tree.
  4. Audit sandbox instantiation code and enforce 'wasm: false' if WebAssembly is not strictly required.
  5. Begin architecture planning to replace vm2 with isolated-vm.

References

Read the full report for CVE-2026-26956 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)