CVE-2026-47140 — vm2 Builtin Denylist Bypass via process/inspector Leads to Host RCE
Detects exploitation of CVE-2026-47140, a critical sandbox escape in the npm vm2 package (versions <= 3.11.3). Attackers bypass the builtin module denylist using process and inspector/promises references to execute arbitrary code on the host Node.js process. CVSS 10.0. PoC is publicly available.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- npm
- Product
- vm2
- Versions
- <= 3.11.3
Weakness (CWE)
Timeline
- Disclosed
- May 29, 2026
References & Proof of Concept
- PoChttps://github.com/advisories/GHSA-rp36-8xq3-r6c4
- https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
- https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
- https://github.com/patriksimek/vm2/releases/tag/v3.11.4
- https://nvd.nist.gov/vuln/detail/CVE-2026-47140
CVSS
What is CVE-2026-47140 CVE-2026-47140 — vm2 Builtin Denylist Bypass via process/inspector Leads to Host RCE?
CVE-2026-47140 — vm2 Builtin Denylist Bypass via process/inspector Leads to Host RCE (CVE-2026-47140) maps to the Execution and Privilege Escalation and Lateral Movement tactics — the adversary is trying to run malicious code in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-47140 — vm2 Builtin Denylist Bypass via process/inspector Leads to Host RCE, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let suspiciousVm2Patterns = dynamic(['inspector', 'promises', 'process.binding', 'process.mainModule', '__proto__', 'constructor.constructor']);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ ('node', 'node.exe')
| where ProcessCommandLine has_any ('vm2', 'new VM', 'new NodeVM')
| join kind=leftouter (
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('node', 'node.exe')
| summarize NetworkConnections=count(), RemoteIPs=make_set(RemoteIP) by InitiatingProcessId, DeviceId
) on $left.ProcessId == $right.InitiatingProcessId and DeviceId
| join kind=leftouter (
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('node', 'node.exe')
| where FileName has_any ('id_rsa', '.ssh', 'shadow', 'passwd', '.env', 'credentials')
| summarize SensitiveFileAccess=count() by InitiatingProcessId, DeviceId
) on $left.ProcessId == $right.InitiatingProcessId and DeviceId
| where isnotempty(NetworkConnections) or isnotempty(SensitiveFileAccess)
| extend RiskScore = case(
isnotempty(SensitiveFileAccess), 'Critical',
isnotempty(NetworkConnections), 'High',
'Medium'
)
| project TimeGenerated, DeviceId, DeviceName, AccountName, ProcessId, ProcessCommandLine, NetworkConnections, RemoteIPs, SensitiveFileAccess, RiskScoreDetects Node.js processes that appear to use vm2 and subsequently make unexpected network connections or access sensitive files, indicative of a sandbox escape via CVE-2026-47140.
Data Sources
Required Tables
False Positives
- Legitimate Node.js applications using vm2 that make network calls as part of normal operation
- Development and testing environments running vm2 sandbox tests
- CI/CD pipelines running automated tests that exercise vm2 code paths
- Security researchers testing vm2 in controlled lab environments
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-47140 — vm2 Builtin Denylist Bypass via process/inspector Leads to Host RCE (CVE-2026-47140) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-47140
References (5)
- https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
- https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
- https://github.com/patriksimek/vm2/releases/tag/v3.11.4
- https://nvd.nist.gov/vuln/detail/CVE-2026-47140
- https://github.com/advisories/GHSA-rp36-8xq3-r6c4
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1vm2 Sandbox Escape via inspector/promises — Host Code Execution
Expected signal: Sysmon/auditd will log: (1) node process launch with vm2 in path or arguments, (2) file creation event at /tmp/vm2_escape_poc.txt by the node process, (3) a child process or execSync call spawning sh/bash from within node
- Test 2vm2 Escape with Outbound Network Callback (Simulated C2 Beacon)
Expected signal: Network flow logs will show an outbound HTTP connection to example.com originating from the node process PID. EDR should capture the network connect event and correlate it to the parent node process with vm2 in its command line.
- Test 3vm2 Escape via process.binding — Enumerate Host Environment Secrets
Expected signal: File write event at /tmp/vm2_env_harvest.json attributed to node process. Process event showing node with potential vm2-related arguments. EDR may also capture the internal environment variable enumeration if it hooks process.env access.
Unlock Pro Content
Get the full detection package for CVE-2026-47140 including response playbook, investigation guide, and atomic red team tests.