CVE-2026-47210 Google Chronicle · YARA-L

Detect vm2 Sandbox Escape via JSPI-backed Promise .finally() Species Bypass in Google Chronicle

Detects exploitation of CVE-2026-47210, a critical sandbox escape vulnerability in the npm vm2 library (versions <= 3.11.3). The vulnerability abuses the JavaScript Promise Integration (JSPI) mechanism and the Promise species pattern in .finally() to escape the vm2 sandbox and execute arbitrary code on the host. A public PoC exists and exploitation grants full host access with the privileges of the Node.js process.

MITRE ATT&CK

Tactic
Execution Privilege Escalation

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2026_47210_vm2_sandbox_escape {
  meta:
    author = "df00tech"
    description = "Detects vm2 sandbox escape via JSPI Promise.finally species bypass (CVE-2026-47210)"
    severity = "CRITICAL"
    priority = "HIGH"
    cve = "CVE-2026-47210"

  events:
    $node_proc.metadata.event_type = "PROCESS_LAUNCH"
    $node_proc.principal.process.file.full_path = /node/ nocase
    (
      $node_proc.target.process.command_line = /vm2/ nocase
      or $node_proc.principal.process.command_line = /vm2/ nocase
    )

    $child_proc.metadata.event_type = "PROCESS_LAUNCH"
    $child_proc.principal.process.file.full_path = /node/ nocase
    $child_proc.target.process.command_line = /(execSync|spawnSync|child_process|exec\()/ nocase
    not $child_proc.target.process.file.full_path = /\/usr\/bin\// nocase
    not $child_proc.target.process.file.full_path = /npm/ nocase

    $node_proc.principal.hostname = $child_proc.principal.hostname
    $node_proc.metadata.event_timestamp.seconds < $child_proc.metadata.event_timestamp.seconds
    ($child_proc.metadata.event_timestamp.seconds - $node_proc.metadata.event_timestamp.seconds) < 300

  condition:
    $node_proc and $child_proc
}
critical severity high confidence

YARA-L 2.0 rule for Google Chronicle correlating a Node.js vm2 invocation with a subsequent child process execution call within 5 minutes on the same host, indicating sandbox escape exploitation.

Data Sources

Google ChronicleEndpoint Telemetry (via Chronicle ingestion)

Required Tables

Process Launch Events (UDM)

False Positives & Tuning

  • Applications that legitimately sandbox user scripts via vm2 and also manage worker processes for scaling
  • Node.js backend services using vm2 for plugin isolation that spawn helper binaries
  • Automated penetration testing or red team exercises targeting vm2 in authorized environments
  • Development environments where vm2-powered REPLs or code runners also invoke shell commands

Other platforms for CVE-2026-47210

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1vm2 JSPI Species Bypass — Host Process Execution via Promise.finally

    Expected signal: Process creation event: node spawning child process (sh -c 'id > /tmp/vm2_escape_test.txt') or direct execSync call visible in process audit logs. File creation event for /tmp/vm2_escape_test.txt by the node process.

  2. Test 2vm2 Sandbox Escape — Environment Variable Exfiltration

    Expected signal: Node.js process accessing environment variables in a vm2 run context. Application-layer logging may show unexpected JSON serialization of env object. No child process is spawned, so EDR process-tree signals may not fire — rely on vm2 audit logging if enabled.

  3. Test 3vm2 Version Audit and Vulnerable Instance Discovery

    Expected signal: Process creation events for find and node commands reading package.json files. File access events on node_modules directories. No malicious activity — this is a discovery/audit test.

  4. Test 4vm2 Sandbox Escape on Windows — Host Command Execution via species bypass

    Expected signal: Windows Security Event Log (Event ID 4688) showing node.exe creating a child process (cmd.exe or conhost.exe). EDR telemetry showing process tree: node.exe -> cmd.exe with whoami command. File creation event for C:\Temp\vm2_escape.txt.

Last updated: 2026-06-21 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-47210 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1059.007JavaScriptT1055Process InjectionT1552.001Credentials In Files

Same Tactic: Execution

Popular Detections