vm2 Sandbox Escape (CVE-2026-44001) Allows Host Node.js Process Crash

/HIGH /CVSS 8.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-248
vm2 Sandbox Escape (CVE-2026-44001) Allows Host Node.js Process Crash

A critical sandbox escape vulnerability, identified as CVE-2026-44001, has been discovered in vm2, an open-source vm/sandbox for Node.js. According to the National Vulnerability Database, this flaw impacts vm2 versions prior to 3.11.0, specifically v3.10.5. The vulnerability allows any code executing within the vm2 sandbox to crash the host Node.js process. This is achieved through a single Promise constructor that triggers an unhandled rejection, which then propagates to the host.

The National Vulnerability Database highlights that the fix implemented for CVE-2026-22709 (in v3.10.2) was insufficient. That patch only addressed the onRejected callback in .then() and .catch() overrides, failing to secure the critical executor-to-unhandledRejection path. This oversight left a significant attack vector open, leading to the current high-severity issue.

With a CVSS score of 8.6 (HIGH), this vulnerability poses a substantial risk for applications relying on vm2 for sandboxing. While it doesn’t lead to direct information disclosure or integrity compromise (C:N, I:N), the ability to crash the host process directly translates to a denial-of-service (A:H) condition. The fix is available in vm2 version 3.11.0, and immediate patching is essential to mitigate this risk.

What This Means For You

  • If your organization utilizes vm2 for Node.js sandboxing, you are directly exposed to CVE-2026-44001. Attackers can leverage this to take your applications offline. Immediately audit your dependencies for vm2 versions prior to 3.11.0 and prioritize upgrading to version 3.11.0 or newer to prevent denial-of-service attacks.

Related ATT&CK Techniques

T1574.002 Hijack Execution Flow: DLL Side-Loading Privilege Escalation T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.003 Execution

vm2 Sandbox Escape via Promise Constructor - CVE-2026-44001

Sigma YAML — free preview 
title: vm2 Sandbox Escape via Promise Constructor - CVE-2026-44001
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects the specific exploit pattern for CVE-2026-44001 where a sandboxed vm2 process attempts to crash the host Node.js process by creating a Promise with an executor that throws an unhandled rejection. This rule looks for node.exe executing with a command line containing the specific Promise constructor used in the exploit.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44001/
tags:
  - attack.execution
  - attack.t1059.003
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'node.exe'
      CommandLine|contains:
          - 'new Promise((resolve, reject) => { throw new Error(\'unhandled rejection\'); })'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44001 DoS vm2 < 3.11.0
CVE-2026-44001 Sandbox Escape vm2 v3.10.5
CVE-2026-44001 DoS Node.js host process crash via Promise constructor unhandled rejection

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...

vulnerabilityCVEcriticalhigh-severitycwe-287cwe-326cwe-1391
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 6 Sigma

CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info

CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...

vulnerabilityCVEhigh-severitypath-traversalcwe-209
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk

CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...

vulnerabilityCVEhigh-severitycwe-436
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma