{"uuid": "2d263ed2-0453-4025-b00e-32e67f1cd556", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-ffh4-j6h5-pg66", "type": "seen", "source": "https://gist.github.com/alon710/4330d672e3cd0f4cc748d6de83e526ff", "content": "# CVE-2026-26956: CVE-2026-26956: WebAssembly Exception Handling Sandbox Escape in vm2\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-26956\n\n## Summary\nvm2 versions 3.10.4 and below are vulnerable to a critical sandbox escape flaw resulting in unauthenticated remote code execution. Attackers can leverage Node.js v25 WebAssembly (WASM) exception handling mechanisms to bypass JavaScript-level error instrumentation and gain access to the host-realm execution context.\n\n## TL;DR\nA critical sandbox escape (CVSS 9.8) in vm2 allows attackers to achieve arbitrary code execution by exploiting WebAssembly try_table and JSTag instructions to leak un-sanitized host-realm objects.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-693 (Protection Mechanism Failure)\n- **Attack Vector**: Network (Unauthenticated)\n- **CVSS v3.1**: 9.8 (Critical)\n- **Impact**: Remote Code Execution / Sandbox Escape\n- **Exploit Status**: Proof of Concept Available\n- **Vulnerable Component**: Error instrumentation / handleException()\n\n## Affected Systems\n\n- Node.js applications evaluating untrusted code\n- vm2 versions 3.10.4 and below\n- **vm2**: <= 3.10.4 (Fixed in: `3.10.5`)\n\n## Mitigation\n\n- Upgrade vm2 to patched version 3.10.5.\n- Disable WebAssembly within the vm2 sandbox by setting 'wasm: false'.\n- Migrate to an isolate-based sandboxing library like 'isolated-vm' due to the deprecation of vm2.\n\n**Remediation Steps:**\n1. Identify all projects and transitive dependencies utilizing vm2.\n2. Update the package.json to require vm2 version 3.10.5 or higher.\n3. Run 'npm install' or 'yarn install' to update the dependency tree.\n4. Audit sandbox instantiation code and enforce 'wasm: false' if WebAssembly is not strictly required.\n5. Begin architecture planning to replace vm2 with isolated-vm.\n\n## References\n\n- [GHSA Advisory: GHSA-ffh4-j6h5-pg66](https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66)\n- [RedHotCyber Vulnerability Report](https://www.redhotcyber.com/en/latest-critical-vulnerabilities/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-26956) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T17:10:29.000000Z"}