CVE-2026-44004: vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion

May 7, 2026

Sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2’s timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit.

References

github.com/advisories/GHSA-6785-pvv7-mvg7
github.com/patriksimek/vm2
github.com/patriksimek/vm2/releases/tag/v3.11.0
github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7
nvd.nist.gov/vuln/detail/CVE-2026-44004

Code Behaviors & Features

Detect and mitigate CVE-2026-44004 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →