CVE-2026-44006

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0

Description A sandbox escape allows unauthenticated attackers to execute arbitrary system commands (RCE) on the host. The issue occurs because BaseHandler.getPrototypeOf can be reached via util.inspect, enabling the retrieval of arbitrary prototypes. By manipulating object prototypes through internal bridge functions, an attacker can gain access to the host's process object.

Recommendations Update to version 3.11.0.