Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-24120 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-24120 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-24120 is a sandbox escape vulnerability in vm2, an open source Node.js virtual machine and sandboxing library maintained by the Vm2 Project, allowing attackers to break out of the isolated execution environment.

Technical Detail

The vulnerability exists because the patch applied to address CVE-2023-37466 was incomplete and can be bypassed through crafted JavaScript code submitted to the vm2 sandbox. An attacker who can supply code for execution within a vm2 instance can exploit this bypass to escape the sandbox boundary and execute arbitrary code in the host Node.js process context, effectively achieving remote code execution with the privileges of the hosting application. All versions of vm2 prior to 3.10.5 are affected.

Exploitation Status

No known exploit has been confirmed at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, given that vm2 sandbox escapes have historically attracted rapid proof-of-concept development from the research community, and that this vulnerability is a bypass of a previously patched and publicly documented flaw, the risk of exploit development in the near term should be considered elevated.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been identified in connection with this vulnerability.

What To Do

Upgrade vm2 to version 3.10.5 or later immediately. Given the critical CVSS score of 9.8 and the nature of sandbox escape vulnerabilities in widely used Node.js tooling, patching should be treated as high priority for any environment running vm2 to process untrusted or user-supplied code. Organizations that cannot patch immediately should evaluate whether vm2 instances are exposed to untrusted input and consider isolating or disabling those components until the update can be applied. Audit dependency trees in Node.js applications to identify transitive use of vm2, as it is commonly included as an indirect dependency.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →