CVE-2026-43997 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: May 14, 2026
vm2 - Sandbox Escape
Overview
vm2 < 3.11.0 contains a sandbox escape vulnerability caused by access to the host Object, letting attackers escape the sandbox environment, exploit requires crafted code execution within the sandbox.
Severity & Score
Impact
Attackers can escape the sandbox, potentially executing arbitrary code on the host system.
Mitigation
Update to version 3.11.0 or later.
Social Media Activity(2 posts)
š“ CVE-2026-43997 - Critical (10) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Sy... š https://www.thehackerwire.com/vulnerability/CVE-2026-43997/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-43997 - Critical (10) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Sy... š https://www.thehackerwire.com/vulnerability/CVE-2026-43997/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-43997
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- sandbox_escape
- Status
- confirmed
- EPSS
- 4.8%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H