CVE-2026-26956: CVE-2026-26956: WebAssembly Exception Handling Sandbox Escape in vm2

1 / 2

CVE-2026-26956: CVE-2026-26956: WebAssembly Exception Handling Sandbox Escape in vm2

DEV Community·CVE Reports·27 days ago

#VlVcUa1O

#commit #security #cve #cybersecurity #sandbox #code

Reading 0:00

15s threshold

CVE-2026-26956: WebAssembly Exception Handling Sandbox Escape in vm2 Vulnerability ID: CVE-2026-26956 CVSS Score: 9.8 Published: 2026-05-05 vm2 versions 3.10.4 and below are vulnerable to a critical sandbox escape flaw resulting in unauthenticated remote code execution. Attackers can leverage Node.js v25 WebAssembly (WASM) exception handling mechanisms to bypass JavaScript-level error instrumentation and gain access to the host-realm execution context. TL;DR A critical sandbox escape (CVSS 9.8) in vm2 allows attackers to achieve arbitrary code execution by exploiting WebAssembly try_table and JSTag instructions to leak un-sanitized host-realm objects.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-26956: CVE-2026-26956: WebAssembly Exception Handling Sandbox Escape in vm2