CVE-2026-44008 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 14, 2026
vm2 - Command Injection
Overview
vm2 < 3.11.2 contains a sandbox escape vulnerability caused by neutralizeArraySpeciesBatch method calling into the host via array prototype getter, letting attackers execute arbitrary commands on the host system, exploit requires crafted input triggering the getter.
Severity & Score
Impact
Attackers can escape the sandbox and execute arbitrary commands on the host system, leading to full system compromise.
Mitigation
Update to version 3.11.2 or later.
Social Media Activity(2 posts)
š“ CVE-2026-44008 - Critical (9.8) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into ... š https://www.thehackerwire.com/vulnerability/CVE-2026-44008/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-44008 - Critical (9.8) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into ... š https://www.thehackerwire.com/vulnerability/CVE-2026-44008/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-44008
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- confirmed
- EPSS
- 7.0%
- Social Posts
- 2
CWE
- CWE-668
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H