vm2 <3.11.0 Buffer.alloc Heap Exhaustion in Node.js
CVE-2026-44004 Published on May 13, 2026

vm2: Host Process OOM DoS via Buffer.alloc (Timeout Bypass)
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit. This vulnerability is fixed in 3.11.0.

NVD

Vulnerability Analysis

CVE-2026-44004 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Types

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Improper Validation of Specified Index, Position, or Offset in Input

The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.


Products Associated with CVE-2026-44004

stack.watch emails you whenever new vulnerabilities are published in Red Hat Ansible Portal or Red Hat Rhdh. Just hit a watch button to start following.

Red Hat Ansible Portal
 
Red Hat Rhdh
 

Affected Versions

patriksimek vm2: Red Hat Self-service automation portal 2: Red Hat Developer Hub:

Exploit Probability

EPSS
0.32%
Percentile
23.62%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.