PT-2026-38395 · Npm · Vm2

Kodove

·

Published

2026-05-01

·

Updated

2026-06-04

·

CVE-2026-44004

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0
Description Sandboxed code can call the Buffer.alloc() function with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc() is a synchronous C++ native call, the timeout option cannot interrupt the execution. This allows a single request to exhaust host memory, leading to a process crash with a FATAL ERROR: Reached heap limit. The issue occurs because the Buffer object is exposed to the sandbox through the HOST object, and the bridge proxy in lib/bridge.js passes these calls to the host without size validation.
Recommendations Update to version 3.11.0.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-06910
CVE-2026-44004
GHSA-6785-PVV7-MVG7

Affected Products

Vm2