vm2 sandbox escape via WebAssembly exception handling enables host RCE

CVE-2026-26956 lets attackers break out of vm2, a Node.js sandbox library pulling 1.3M weekly npm downloads, and execute arbitrary code on the host. The flaw hits version 3.10.4 and likely earlier releases when running on Node.js 25 with WebAssembly exception handling and JSTag support enabled. A working PoC is public, and the fix lands in 3.10.5 (current 3.11.2).

The escape exploits a layer mismatch: vm2’s isolation depends on JavaScript-level Proxies and error wrapping, but WebAssembly exception handling intercepts errors deeper in V8, beneath those defenses. A crafted TypeError triggered through Symbol-to-string conversion leaks an unsanitized host-side error object into the sandbox, and its constructor chain hands attackers back the Node.js process object and command execution.

This is the second critical vm2 sandbox escape this year after CVE-2026-22709, following a multi-year pattern (CVE-2023-30547, CVE-2023-29017, CVE-2022-36067) that underscores how fragile JavaScript-based isolation is against engine-level primitives. Coding platforms, automation tools, and SaaS products running user-supplied scripts on vm2 should patch immediately and reassess whether process-level isolation is the more honest boundary.