PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45411 Vm2 Project CVE debrief

CVE-2026-45411 is a critical vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows attackers to escape the sandbox and execute arbitrary commands on the host system. This is achieved by catching a host exception using the yield* expression inside an async generator and then awaiting on the value when the generator is closed. The vulnerability has a CVSS score of 9.8 and is considered CRITICAL. The issue was fixed in vm2 version 3.11.3.

Vendor
Vm2 Project
Product
Vm2
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-06-30
Advisory published
2026-05-13
Advisory updated
2026-06-30

Who should care

Developers and administrators using vm2 in their Node.js applications should be aware of this vulnerability and take immediate action to update to version 3.11.3 or later. Additionally, users of Red Hat products that incorporate vm2 may need to apply patches or mitigations provided by Red Hat.

Technical summary

The vulnerability in vm2 arises from the way it handles exceptions in async generators. Specifically, when a generator is closed using the return function, the value is awaited on, and any exceptions thrown in the then call are caught by the runtime and passed to the yield* iterator as the next value. This allows an attacker to write code that can escape the VM2 sandbox and execute arbitrary commands on the host system. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 9.8, indicating a high severity level. The vulnerability is categorized under CWE-668: Exposure of Resource to Wrong Sphere.

Defensive priority

High. This vulnerability allows for a complete escape of the vm2 sandbox, enabling an attacker to execute arbitrary commands on the host system. Immediate action is required to mitigate this vulnerability.

Recommended defensive actions

  • Update vm2 to version 3.11.3 or later.
  • Review and patch affected Red Hat products according to vendor advisories.
  • Implement compensating controls to monitor for suspicious activity.
  • Perform thorough inventory checks to identify potentially vulnerable systems.
  • Track exceptions and anomalies in async generator usage.

Evidence notes

The CVE-2026-45411 vulnerability was publicly disclosed on May 13, 2026, and has since been modified on June 30, 2026. The vulnerability affects vm2 versions prior to 3.11.3. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high severity level. The weakness is categorized under CWE-668: Exposure of Resource to Wrong Sphere.

Official resources

This article is AI-assisted and based on the supplied source corpus.