vm2 Sandbox Escape (CVE-2026-45411) Poses Critical RCE Risk

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-668
vm2 Sandbox Escape (CVE-2026-45411) Poses Critical RCE Risk

A critical vulnerability, CVE-2026-45411, has been identified in vm2, an open-source sandbox for Node.js. The National Vulnerability Database reports that prior to version 3.11.3, an attacker can exploit a flaw in how vm2 handles host exceptions within async generators. Specifically, the yield* expression allows for catching host exceptions, and when the generator is closed, exceptions thrown during the then call are passed back to the iterator as the next value.

This intricate exception handling bypass enables attackers to break out of the vm2 sandbox. Once outside, they can execute arbitrary commands on the host system, leading to a complete compromise. The National Vulnerability Database assigns this a CVSS score of 9.8 (CRITICAL), underscoring the severity and ease of exploitation, as it requires no privileges or user interaction.

Organizations leveraging vm2 in their Node.js environments are at severe risk. This isn’t just a denial-of-service; it’s a full remote code execution vector. The fix is available in vm2 version 3.11.3, making immediate patching the only viable defense against this critical escape.

What This Means For You

  • If your Node.js applications use vm2, you are exposed to a critical sandbox escape (CVE-2026-45411) that allows arbitrary code execution. Identify all instances of vm2 in your deployments and upgrade to version 3.11.3 or later *immediately*. This isn't a theoretical risk; it's a direct path to host compromise.

Related ATT&CK Techniques

T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution T1562.001 Impair Defenses: Disable or Modify Tools Defense Evasion T1071.001 Application Layer Protocol: Web Protocols Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.003 Execution

CVE-2026-45411 - vm2 Sandbox Escape via Async Generator Exception Handling

Sigma YAML — free preview 
title: CVE-2026-45411 - vm2 Sandbox Escape via Async Generator Exception Handling
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  This rule detects the specific exploit pattern for CVE-2026-45411. It looks for Node.js processes ('node.exe') that are likely running the vm2 sandbox and attempting to exploit the vulnerability by using 'yield*' within an async generator and closing the generator with 'return()'. This indicates an attempt to escape the sandbox and execute arbitrary commands on the host.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45411/
tags:
  - attack.execution
  - attack.t1059.003
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'node.exe'
      CommandLine|contains:
          - 'vm2'
          - 'yield*'
          - 'return()'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45411 RCE vm2 sandbox escape
CVE-2026-45411 RCE vm2 < 3.11.3
CVE-2026-45411 RCE Node.js vm/sandbox
CVE-2026-45411 RCE yield* expression inside an async generator

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Featured

Daily Security Digest — 2026-05-13

41 vulnerability disclosures (10 Critical, 31 High) and 10 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEcriticalhigh-severitycwe-328cwe-648remote-code-executioncwe-502cwe-88
/SCW Daily Digest /CRITICAL

CVE-2026-8496 — Cross-Site Scripting (XSS)

CVE-2026-8496 — A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within...

vulnerabilityCVEmedium-severitycross-site-scripting-xss
/SCW Vulnerability Desk /MEDIUM /6.1 /⚑ 1 IOC /⚙ 3 Sigma

Netty DoS Vulnerability (CVE-2026-42587) Bypasses Decompression Limits

CVE-2026-42587 — Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size...

vulnerabilityCVEhigh-severitydenial-of-servicecwe-400
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 4 Sigma