CVE-2026-45411: CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator I…

1 / 2

CVE-2026-45411: CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation

DEV Community·CVE Reports·18 days ago

#JU5pHguu

#exploit #security #cve #cybersecurity #sandbox #vulnerability

Reading 0:00

15s threshold

CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation Vulnerability ID: CVE-2026-45411 CVSS Score: 9.8 Published: 2026-05-14 CVE-2026-45411 is a critical sandbox breakout vulnerability in the vm2 library for Node.js, allowing attackers to achieve remote code execution on the host system. The flaw stems from an inconsistency in how the V8 JavaScript engine handles async generators during delegation and abrupt completions, enabling an attacker to smuggle a host-realm error object into the sandbox. TL;DR A critical vulnerability in vm2 (CVE-2026-45411, CVSS 9.8) allows sandbox escape and host RCE via V8 engine async generator handling. Versions prior to 3.11.3 are affected.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-45411: CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation