2466508 – (CVE-2026-26332) CVE-2026-26332 vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape

Bug 2466508 (CVE-2026-26332) - CVE-2026-26332 vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape

Summary: CVE-2026-26332 vm2: vm2: Arbitrary code execution via SuppressedError sandbox...

Keywords:
Status:	NEW
Alias:	CVE-2026-26332
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-04 19:02 UTC by OSIDB Bzimport
Modified:	2026-05-15 17:35 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-04 19:02:53 UTC

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Comment 4 Marco Benatto 2026-05-15 16:53:13 UTC

Upstream public commits fixing this issue:
https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f
https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338

Those commits are contained in the following upstream releases:

$ git tag --contains 4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f
v3.11.0
v3.11.1
v3.11.2
v3.11.3
$ git tag --contains d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338
v3.11.0
v3.11.1
v3.11.2
v3.11.3

Note You need to log in before you can comment on or make changes to this bug.