Main Vulnerability Database Vulnerabilities #VU131735

Improper Control of Dynamically-Managed Code Resources in vm2 - #VU131735

Published: May 18, 2026

Vulnerability identifier: #VU131735

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-913

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of dynamically-managed code resources in Promise.prototype.finally() species handling when executing untrusted code with async support on runtimes exposing WebAssembly JSPI. A remote attacker can trigger a JSPI-backed Promise path that exposes a host-originated rejection object to attacker-controlled species logic to execute arbitrary code.

Only environments exposing WebAssembly.promising or WebAssembly.Suspending are affected, and the issue breaks the sandbox boundary by exposing access to host process objects.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-6j2x-vhqr-qr7q

Improper Control of Dynamically-Managed Code Resources in vm2 - #VU131735

Detailed vulnerability description

Remediation

Sources

Please verify you're human