PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24120 patriksimek CVE debrief

CVE-2026-24120 is a critical vulnerability in vm2, a Node.js sandbox, allowing attackers to escape the sandbox and execute arbitrary commands on the host system. The issue arises from an insufficient fix for CVE-2023-37466 in vm2 versions prior to 3.10.5. This vulnerability has a CVSS score of 9.8 and is considered critical. The vulnerability was published on May 4, 2026, and last modified on June 30, 2026. The fix for this issue is included in vm2 version 3.10.5.

Vendor
patriksimek
Product
vm2
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-04
Original CVE updated
2026-06-30
Advisory published
2026-05-04
Advisory updated
2026-06-30

Who should care

Developers and administrators using vm2 in their Node.js applications should be aware of this vulnerability and take immediate action to upgrade to version 3.10.5 or later. Additionally, security teams and vulnerability managers should prioritize this critical vulnerability and ensure that affected systems are patched. Users of Red Hat systems may also need to apply patches or mitigations.

Technical summary

The vm2 sandbox for Node.js has a critical vulnerability, CVE-2026-24120, that allows attackers to escape the sandbox and execute arbitrary commands on the host system. This issue is a result of an insufficient fix for CVE-2023-37466. The vulnerability has a CVSS score of 9.8 and is considered critical. It affects vm2 versions prior to 3.10.5. The Common Weakness Enumeration (CWE) for this vulnerability includes CWE-94 and CWE-693 for code injection and security features issues.

Defensive priority

This vulnerability should be prioritized as critical due to its high CVSS score and potential impact. Immediate action is required to upgrade to vm2 version 3.10.5 or later to prevent exploitation.

Recommended defensive actions

  • Upgrade to vm2 version 3.10.5 or later
  • Review and apply patches or mitigations for Red Hat systems
  • Monitor systems for potential exploitation attempts
  • Ensure that Node.js applications using vm2 are properly configured and secured
  • Perform a thorough inventory of affected systems and prioritize patching

Evidence notes

The CVE-2026-24120 vulnerability is documented in the official CVE record and NVD detail pages. Additional information can be found in the vendor's release notes and security advisories. The vulnerability has been actively monitored and updated in the NVD database.

Official resources

This article is AI-assisted and based on the supplied source corpus.