CVE-2026-24118

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0

Description An issue exists in the way code generation is managed, leading to a sandbox breakout. This allows attackers to execute arbitrary commands on the host system by escaping the sandbox. The flaw involves the lookupGetter method, which can be manipulated to switch between host and sandbox contexts. By using the host apply method via Buffer.apply, an attacker can access getters in the host context. This process can be used to retrieve the host Function.prototype object and the host Function through the constructor property, enabling the creation and execution of code in the host context. Attempts to mitigate this using Object.getOwnPropertyDescriptor to access the constructor property can circumvent previous fixes.

Recommendations Update to version 3.11.0.