PatchSiren cyber security CVE debrief
CVE-2026-47210 patriksimek CVE debrief
CVE-2026-47210 is a critical sandbox escape vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI. This issue was patched in version 3.11.4.
- Vendor
- patriksimek
- Product
- vm2
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of vm2, especially those executing untrusted code with async support, should update to version 3.11.4 or later to mitigate this vulnerability.
Technical summary
The vulnerability occurs when a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary.
Defensive priority
High
Recommended defensive actions
- Update vm2 to version 3.11.4 or later.
- Avoid executing untrusted code with async support on vulnerable versions of vm2.
Evidence notes
CVE-2026-47210 has a CVSS score of 9.8 and is considered CRITICAL.
Official resources
CVE-2026-47210 was published on 2026-06-12T15:16:29.030Z and modified on 2026-06-12T17:16:23.987Z.