Bug 2488389 (CVE-2026-47210) - CVE-2026-47210 vm2: vm2: Arbitrary code execution via sandbox escape when executing untrusted code with async support.
Summary: CVE-2026-47210 vm2: vm2: Arbitrary code execution via sandbox escape when exe...
Keywords:
Status: NEW
Alias: CVE-2026-47210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-12 15:02 UTC by OSIDB Bzimport
Modified: 2026-06-22 13:29 UTC (History)
17 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-12 15:02:01 UTC
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary. This issue has been patched in version 3.11.4.


Note You need to log in before you can comment on or make changes to this bug.