CVE-2026-47210 Splunk · SPL

Detect vm2 Sandbox Escape via JSPI-backed Promise .finally() Species Bypass in Splunk

Detects exploitation of CVE-2026-47210, a critical sandbox escape vulnerability in the npm vm2 library (versions <= 3.11.3). The vulnerability abuses the JavaScript Promise Integration (JSPI) mechanism and the Promise species pattern in .finally() to escape the vm2 sandbox and execute arbitrary code on the host. A public PoC exists and exploitation grants full host access with the privileges of the Node.js process.

MITRE ATT&CK

Tactic
Execution Privilege Escalation

SPL Detection Query

Splunk (SPL)
spl 
index=main sourcetype IN ("process_creation", "osquery:results", "auditd", "WinEventLog:Security")
| eval proc_lower=lower(process)
| where (proc_lower LIKE "%node%" OR parent_process LIKE "%node%")
| eval cmd_lower=lower(cmdline)
| eval vm2_involved=if(match(cmd_lower, "vm2"), 1, 0)
| eval escape_indicators=if(
    match(cmd_lower, "child_process") OR
    match(cmd_lower, "execSync") OR
    match(cmd_lower, "spawnSync") OR
    match(cmd_lower, "require\\s*\\(\\s*['\"]child_process"),
    1, 0)
| where vm2_involved=1 OR (escape_indicators=1 AND parent_process LIKE "%node%")
| eval risk_score=if(vm2_involved=1 AND escape_indicators=1, 100, if(vm2_involved=1, 60, 40))
| stats count AS event_count, max(risk_score) AS max_risk, values(cmdline) AS commands, values(user) AS users, dc(host) AS affected_hosts BY host, process, parent_process
| where max_risk >= 60 OR (event_count > 3 AND max_risk >= 40)
| sort -max_risk
| eval severity=case(max_risk>=100, "CRITICAL", max_risk>=60, "HIGH", 1=1, "MEDIUM")
| table _time, host, process, parent_process, commands, users, event_count, severity
critical severity medium confidence

Detects Node.js processes involving vm2 that exhibit sandbox escape indicators such as spawning child processes or calling child_process module functions. High risk score when both vm2 involvement and escape indicators are present.

Data Sources

Endpoint Detection and ResponseOS Process Audit LogsWindows Security Event Log

Required Sourcetypes

process_creationosquery:resultsauditdWinEventLog:Security

False Positives & Tuning

  • Build tools and task runners that legitimately use vm2 for script isolation
  • Node.js applications calling child_process for non-malicious subprocess management unrelated to vm2
  • Developer workstations running vm2 tests that include process spawning as part of test logic
  • Automated testing frameworks using vm2 in combination with process execution

Other platforms for CVE-2026-47210

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1vm2 JSPI Species Bypass — Host Process Execution via Promise.finally

    Expected signal: Process creation event: node spawning child process (sh -c 'id > /tmp/vm2_escape_test.txt') or direct execSync call visible in process audit logs. File creation event for /tmp/vm2_escape_test.txt by the node process.

  2. Test 2vm2 Sandbox Escape — Environment Variable Exfiltration

    Expected signal: Node.js process accessing environment variables in a vm2 run context. Application-layer logging may show unexpected JSON serialization of env object. No child process is spawned, so EDR process-tree signals may not fire — rely on vm2 audit logging if enabled.

  3. Test 3vm2 Version Audit and Vulnerable Instance Discovery

    Expected signal: Process creation events for find and node commands reading package.json files. File access events on node_modules directories. No malicious activity — this is a discovery/audit test.

  4. Test 4vm2 Sandbox Escape on Windows — Host Command Execution via species bypass

    Expected signal: Windows Security Event Log (Event ID 4688) showing node.exe creating a child process (cmd.exe or conhost.exe). EDR telemetry showing process tree: node.exe -> cmd.exe with whoami command. File creation event for C:\Temp\vm2_escape.txt.

Last updated: 2026-06-21 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-47210 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1059.007JavaScriptT1055Process InjectionT1552.001Credentials In Files

Same Tactic: Execution

Popular Detections