CVE-2026-44004: vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion

May 7, 2026 (updated May 14, 2026)

Sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2’s timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit.

References

github.com/advisories/GHSA-6785-pvv7-mvg7
github.com/patriksimek/vm2/releases/tag/v3.11.0
github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7
nvd.nist.gov/vuln/detail/CVE-2026-44004

Code Behaviors & Features

Detect and mitigate CVE-2026-44004 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →