Memory Allocation Vulnerability in vm2 for Node.js
CVE-2026-44004

7.5HIGH

Key Information:

Vendor: Patriksimek
Status: Vm2
Vendor: CVE Published:; 13 May 2026

🔔 Create Patriksimek Vulnerability Alert

What is CVE-2026-44004?

The vm2 library, used for sandboxing Node.js applications, has a vulnerability that allows arbitrary memory allocation through Buffer.alloc() prior to version 3.11.0. This issue arises because the Buffer.alloc() function is a synchronous native call, which inhibits the timeout feature of vm2 from interrupting the process. Consequently, an exploit can lead to exhaustion of the host memory, potentially causing a crash with a fatal error due to reaching the heap limit. This vulnerability has been fixed in version 3.11.0.

Affected Version(s)

vm2 < 3.11.0

References

https://github.com/patriksimek/vm2/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-44004 Data

JSON