CVE-2026-44004: vm2 Sandbox Vulnerability Leads to Host Memory Exhaustion

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-770
CVE-2026-44004: vm2 Sandbox Vulnerability Leads to Host Memory Exhaustion

The National Vulnerability Database has detailed CVE-2026-44004, a critical vulnerability in vm2, an open-source Node.js sandboxing library. Prior to version 3.11.0, sandboxed code can exploit Buffer.alloc() to allocate an arbitrary amount of memory directly on the host heap. This is not a theoretical issue; Buffer.alloc is a synchronous C++ native call, meaning vm2’s timeout mechanisms are powerless to interrupt it.

This flaw allows a single malicious request to exhaust the host’s memory, triggering a FATAL ERROR: Reached heap limit and crashing the entire process. The National Vulnerability Database assigns this a CVSS score of 7.5 (HIGH), underscoring the severe availability impact. This is a denial-of-service vector that any attacker with code execution within the sandbox can leverage to bring down a Node.js application.

Defenders must understand the attacker’s calculus here: this is a low-effort, high-impact attack. It doesn’t require complex exploitation; simply calling a function with a large size is enough. CISOs need to ensure their development teams are aware of this specific vulnerability and prioritize patching vm2 to version 3.11.0 or later. Ignoring this is leaving a clear path for attackers to disrupt service availability.

What This Means For You

  • If your Node.js applications use vm2 for sandboxing, verify immediately that you are running version 3.11.0 or newer. Older versions are vulnerable to CVE-2026-44004, allowing a sandbox escape to trigger a denial-of-service on the host. Patching is the only mitigation.

Related ATT&CK Techniques

T1499 Sandbox Escape Defense Evasion T1562.001 Disable or Modify Tool Integrity Defense Evasion T1496 Resource Hijacking Impact

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1499 Defense Evasion

CVE-2026-44004: vm2 Buffer.alloc Heap Exhaustion Attempt

Sigma YAML — free preview 
title: CVE-2026-44004: vm2 Buffer.alloc Heap Exhaustion Attempt
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-44004 by monitoring Node.js processes (node.exe) executing commands that include 'Buffer.alloc'. This specific call, when used with an arbitrary large size within a vulnerable vm2 version (prior to 3.11.0), can lead to host memory exhaustion. This rule aims to catch the direct exploitation attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44004/
tags:
  - attack.defense_evasion
  - attack.t1499
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'node.exe'
      CommandLine|contains:
          - 'Buffer.alloc'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44004 DoS vm2 < 3.11.0
CVE-2026-44004 DoS Node.js vm/sandbox
CVE-2026-44004 DoS Buffer.alloc() with arbitrary size in sandboxed code
CVE-2026-44004 DoS Host memory exhaustion leading to process crash

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...

vulnerabilityCVEcriticalhigh-severitycwe-287cwe-326cwe-1391
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 6 Sigma

CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info

CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...

vulnerabilityCVEhigh-severitypath-traversalcwe-209
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk

CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...

vulnerabilityCVEhigh-severitycwe-436
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma