PatchSiren cyber security CVE debrief
CVE-2026-44001 Vm2 Project CVE debrief
CVE-2026-44001 is a high-severity vm2 sandbox issue that can let sandboxed code crash the host Node.js process. The supplied description says the problem exists in vm2 prior to 3.11.0 and that the earlier fix for CVE-2026-22709 only sanitized the onRejected callback in .then() and .catch() overrides, leaving an executor-to-unhandledRejection path unaddressed. In practice, a single Promise constructor can trigger an unhandled rejection that propagates to the host and takes down the process. The issue is fixed in vm2 3.11.0.
- Vendor
- Vm2 Project
- Product
- Vm2
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
Teams running untrusted or semi-trusted JavaScript through vm2, especially Node.js services that depend on sandboxing for availability or tenant isolation. Operators should care most if a host process crash would cause service interruption or affect multiple workloads.
Technical summary
The vulnerability affects vm2 versions before 3.11.0. NVD lists the vulnerable CPE range as ending before 3.11.0 and classifies the issue with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, reflecting a network-reachable, no-authentication path with high availability impact and changed scope. The supplied description attributes the failure to an unhandled rejection path triggered from a Promise constructor inside the sandbox. The prior fix for CVE-2026-22709 did not cover this path because it only sanitized the onRejected callback in .then() and .catch() overrides. NVD also associates the issue with CWE-248.
Defensive priority
High. Upgrade should be treated as urgent for any internet-facing or multi-tenant service that runs untrusted code in vm2, because the vulnerability can crash the host process and disrupt availability.
Recommended defensive actions
- Upgrade vm2 to 3.11.0 or later.
- Inventory applications and services that embed vm2, including indirect dependencies.
- Treat all vm2 releases before 3.11.0 as vulnerable for this issue.
- Review process isolation and failure containment so a sandbox failure cannot take down the primary service.
- Monitor for unexpected Node.js process exits or unhandled rejection events in workloads that use vm2.
Evidence notes
This debrief is based only on the supplied NVD/CVE corpus and the referenced GitHub security advisory. The CVE was published on 2026-05-13 and last modified on 2026-05-18. The NVD record lists the affected vm2 version range as ending before 3.11.0, the CVSS vector as AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, and CWE-248 as the associated weakness. The supplied description states that the issue is fixed in 3.11.0 and that the earlier CVE-2026-22709 fix did not address the executor-to-unhandledRejection path.
Official resources
-
CVE-2026-44001 CVE record
CVE.org
-
CVE-2026-44001 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
Publicly recorded in the CVE/NVD feed on 2026-05-13 and last modified on 2026-05-18.