vm2 Sandbox Escape via neutralizeArraySpeciesBatch (pre3.11.2)
CVE-2026-44008 Published on May 13, 2026
vm2: Snabox breakout via `neutralizeArraySpeciesBatch`
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.
Vulnerability Analysis
CVE-2026-44008 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Types
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Insufficient Isolation of System-Dependent Functions
The product or code does not isolate system-dependent functionality into separate standalone modules.
Products Associated with CVE-2026-44008
stack.watch emails you whenever new vulnerabilities are published in Red Hat Ansible Portal or Red Hat Rhdh. Just hit a watch button to start following.
Affected Versions
patriksimek vm2:- Version < 3.11.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.