CVE-2026-44004 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: May 14, 2026
vm2 - Denial of Service
Overview
vm2 < 3.11.0 contains a denial of service caused by uninterruptible Buffer.alloc() calls in sandboxed code, letting attackers exhaust host memory and crash the process, exploit requires sandboxed code execution.
Severity & Score
Impact
Attackers can exhaust host memory causing process crash and denial of service.
Mitigation
Update to version 3.11.0 or later.
Social Media Activity(2 posts)
š CVE-2026-44004 - High (7.5) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option ... š https://www.thehackerwire.com/vulnerability/CVE-2026-44004/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-44004 - High (7.5) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option ... š https://www.thehackerwire.com/vulnerability/CVE-2026-44004/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-44004
- Severity
- High
- CVSS Score
- 7.5
- Type
- denial_of_service
- Status
- confirmed
- EPSS
- 4.0%
- Social Posts
- 2
CWE
- CWE-770
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H