ctipilot.ch

vm2 sandbox escape via BaseHandler.getPrototypeOf — host-object access; CVSS 10.0; patched 3.11.0

cve · CVE-2026-43997

Coverage timeline
1
first 2026-05-20 → last 2026-05-20
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
1
trending_vulns
Co-occurring entities
6
see Related entities below

Story timeline

  1. 2026-05-20CTI Daily Brief — 2026-05-20
    trending_vulnsFirst-coverage; BSI WID-SEC-2026-1583 flagged 2026-05-19; cluster of 12 vm2 CVEs

Where this entity is cited

  • trending_vulns1

Source distribution

  • kodemsecurity.com1 (33%)
  • thehackernews.com1 (33%)
  • wid.cert-bund.de1 (33%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (3)

Items in briefs about vm2 sandbox escape via BaseHandler.getPrototypeOf — host-object access; CVSS 10.0; patched 3.11.0 (1)

vm2 Node.js sandbox — 12 critical CVEs (CVE-2026-43997 / 43999 / 44005 / 44006 / 44008 / 44009 et al.), sandbox escape to host RCE, upgrade to ≥ 3.11.4

From CTI Daily Brief — 2026-05-20 · published 2026-05-20 · view item permalink →

On 2026-05-19 BSI WID-SEC-2026-1583 was published flagging 12 critical sandbox-escape vulnerabilities in the vm2 Node.js library (BSI WID-SEC-2026-1583). vm2 is widely embedded in code editors, CI/CD pipelines, serverless function runners, workflow automation platforms (n8n and similar), and AI-agent frameworks that need to execute untrusted JavaScript. Highest-severity CVEs:

  • CVE-2026-43997 (CVSS 10.0) — host-object access via code injection in the BaseHandler.getPrototypeOf trap; attacker obtains a reference to the real host Object prototype and escapes all sandbox restrictions. Affects vm2 ≤ 3.10.5; patched in 3.11.0.
  • CVE-2026-44005 (CVSS 10.0) — prototype pollution via attacker-controlled JS in vm2 3.9.6 – 3.10.5; patched 3.11.0.
  • CVE-2026-44006 (CVSS 10.0) — code injection via BaseHandler.getPrototypeOf; patched 3.11.0.
  • CVE-2026-43999 (CVSS 9.9) — NodeVM allow-list bypass: when the host explicitly permits child_process, the Module._load() internal becomes reachable, letting sandboxed code load any built-in module including child_process for OS command execution; patched 3.11.0.
  • CVE-2026-44008 / CVE-2026-44009 (CVSS 9.8 each) — null-proto exception exploitation bypassing neutralizeArraySpeciesBatch(); affects ≤ 3.11.1, patched 3.11.2.

Public PoC code is circulating for several CVEs on GitHub. Kodem Security frames the AI-agent escalation path as "prompt → agent evaluates attacker-controlled JS via vm2 → sandbox escape → host OS RCE" — directly relevant where Swiss / EU public-sector digitisation projects use Node.js automation (n8n in particular) or custom LLM-agent pipelines that route generated code through vm2. The comprehensive fix per BSI WID-SEC-2026-1583 is vm2 ≥ 3.11.4; the prior patch progression (3.11.0 → 3.11.2) addresses the bulk of the 12-CVE cluster but BSI flags the comprehensive cut-over at 3.11.4 (see § 7 Verification Notes for the version discrepancy with The Hacker News). No configuration workaround exists. SBOM-scan every Node.js dependency tree (CI runners, automation platforms, AI agents) for vm2 < 3.11.4.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-41091 Microsoft Defender Engine 7.8 n/a No Yes Engine ≥ 1.1.26040.8 (auto-update) MSRC
CVE-2026-45584 Microsoft Defender Engine 8.1 n/a No No Engine ≥ 1.1.26040.8 (auto-update) MSRC
CVE-2026-45585 Windows BitLocker / WinRE (YellowKey) 6.8 n/a No No (PoC public) No patch; MSRC interim mitigation MSRC
CVE-2026-42097 Sparx PCS / WebEA 9.3 (CVSS4) n/a No No (PoC public) No vendor patch CERT-PL
CVE-2026-42099 Sparx PCS / WebEA 7.7 (CVSS4) n/a No No (PoC public) No vendor patch CERT-PL
CVE-2026-31635 Linux kernel RxGK 7.5 n/a No No (PoC public) Kernel 2026-04-25 stable patch Moselwal
CVE-2026-43997 vm2 Node.js library 10.0 n/a No No (PoC public) vm2 ≥ 3.11.0 (3.11.2 for full set) BSI WID-SEC-2026-1583
CVE-2026-43999 vm2 Node.js library (NodeVM) 9.9 n/a No No (PoC public) vm2 ≥ 3.11.0 BSI WID-SEC-2026-1583