vm2 — CVE-2026-26956 Sandbox Escape with Published PoC

AI relevance: vm2 is the dominant JavaScript sandboxing layer in AI coding agents, MCP servers, and online code-interpreter platforms — any system that executes untrusted LLM-generated or user-submitted JS code relies on its isolation guarantees.

What happened

• CVE-2026-26956 allows escaping the vm2 sandbox and executing arbitrary code on the host system. Confirmed against vm2 3.10.4 with Node.js 25 (tested on 25.6.1); earlier versions may also be affected.
• The flaw exploits WebAssembly exception handling in Google's V8 engine, which intercepts JavaScript errors at a lower level than vm2's JavaScript-based security defenses.
• An attacker triggers a crafted TypeError via Symbol-to-string conversion, causing a host-side error object to leak back into the sandbox without sanitization.
• The leaked object's constructor chain grants access to Node.js internals (including the process object), enabling arbitrary command execution on the host.
• The vm2 maintainer published a proof-of-concept exploit demonstrating full remote code execution.
• This is the latest in a long series of vm2 sandbox escapes: CVE-2026-22709 (January 2026), CVE-2023-30547, CVE-2023-29017, and CVE-2022-36067.
• vm2 has over 1.3 million weekly downloads on npm and is widely embedded in AI agent tooling, online coding platforms, and SaaS applications.

Why it matters

AI systems that execute LLM-generated or user-submitted JavaScript — including coding agents, code interpreters, and MCP server runtimes — depend on vm2 to contain untrusted code. A sandbox escape means malicious payloads from an AI agent's output can break out and execute on the hosting infrastructure. The published PoC lowers the barrier to exploitation, and the recurring pattern of vm2 escapes raises fundamental questions about JavaScript-level sandboxing as a security boundary.

What to do

• Upgrade immediately: Move to vm2 ≥ 3.10.5 (latest is 3.11.2). Check the release notes.
• Audit your AI stack: If your coding agent, MCP server, or code interpreter uses vm2, verify the dependency version and patch.
• Consider architectural alternatives: Given the repeated escape history, evaluate process-level isolation (containers, WebAssembly runtimes, gVisor) instead of JS-level sandboxing for untrusted code execution in AI pipelines.
• Monitor Node.js 25 deployments: The confirmed attack vector requires WebAssembly exception handling — environments on Node.js 25 with this feature enabled are the highest-risk targets.

Sources

• BleepingComputer — Critical vm2 sandbox bug lets attackers execute code on hosts
• vm2 Security Advisory (GHSA-ffh4-j6h5-pg66)
• vm2 v3.10.5 Release
• vm2 on npm — 1.3M+ weekly downloads