Bug 2488381 (CVE-2026-47140)

Summary: CVE-2026-47140 vm2: vm2: Arbitrary code execution due to incomplete sandbox restrictions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, alizardo, dschmidt, erezende, jchui, jhe, jlanda, kshier, ktsao, nboldt, oaljalju, psrna, simaishi, smcdonal, stcannon, teagle, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows sandboxed code to bypass intended security restrictions by exploiting missing entries in the denylist for dangerous Node.js built-in functions, specifically `process` and `inspector/promises`. A remote attacker can leverage this to execute arbitrary code in the host process, leading to a complete compromise of the system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-12 15:01:34 UTC
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.