WID-SEC-W-2026-1349

Vulnerability from csaf_certbund - Published: 2026-05-03 22:00 - Updated: 2026-05-04 22:00
Summary
vm2: Mehrere Schwachstellen
Severity
Kritisch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: vm2 ist eine Sandbox, in der nicht vertrauenswürdiger Code der in Node integrierten Module ausgeführt werden kann.
Angriff: Ein Angreifer kann mehrere Schwachstellen in vm2 ausnutzen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, und um Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows
CVE-2026-22709
CVE-2026-24118
CVE-2026-24120
CVE-2026-24781
CVE-2026-26332
CVE-2026-26956
References
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "text": "kritisch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "vm2 ist eine Sandbox, in der nicht vertrauensw\u00fcrdiger Code der in Node integrierten Module ausgef\u00fchrt werden kann.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in vm2 ausnutzen, um beliebigen Programmcode auszuf\u00fchren, um einen Denial of Service Angriff durchzuf\u00fchren, um Informationen offenzulegen, und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1349 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1349.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1349 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1349"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-2cm2-m3w5-gp2f vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-47x8-96vw-5wg6 vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-55hx-c926-fr95 vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-6785-pvv7-mvg7 vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-8hg8-63c5-gwmx vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-947f-4v7f-x2v8 vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-947f-4v7f-x2v8"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-9qj6-qjgg-37qq vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-9vg3-4rfj-wgcm vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-cp6g-6699-wx9c vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cp6g-6699-wx9c"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-ffh4-j6h5-pg66 vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-grj5-jjm8-h35p vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-hw58-p9xv-2mjh vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-mpf8-4hx2-7cjg vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-qcp4-v2jj-fjx8 vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-qvjj-29qf-hp7p vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-v27g-jcqj-v8rw vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-v37h-5mfm-c47c vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-vwrp-x96c-mhwq vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-wp5r-2gw5-m7q7 vom 2026-05-03",
        "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7"
      }
    ],
    "source_lang": "en-US",
    "title": "vm2: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-04T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-05T08:06:17.827+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1349",
      "initial_release_date": "2026-05-03T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-04T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-26995, EUVD-2026-26993, EUVD-2026-26987, EUVD-2026-26984, EUVD-2026-26986"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.11.1",
                "product": {
                  "name": "Open Source vm2 \u003c3.11.1",
                  "product_id": "T053508"
                }
              },
              {
                "category": "product_version",
                "name": "3.11.1",
                "product": {
                  "name": "Open Source vm2 3.11.1",
                  "product_id": "T053508-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vm2_project:vm2:3.11.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source vm2",
                "product": {
                  "name": "Open Source vm2",
                  "product_id": "T053510",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vm2_project:vm2:-"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "vm2"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-22709",
      "product_status": {
        "known_affected": [
          "T053508",
          "T053510"
        ]
      },
      "release_date": "2026-05-03T22:00:00.000+00:00",
      "title": "CVE-2026-22709"
    },
    {
      "cve": "CVE-2026-24118",
      "product_status": {
        "known_affected": [
          "T053508",
          "T053510"
        ]
      },
      "release_date": "2026-05-03T22:00:00.000+00:00",
      "title": "CVE-2026-24118"
    },
    {
      "cve": "CVE-2026-24120",
      "product_status": {
        "known_affected": [
          "T053508",
          "T053510"
        ]
      },
      "release_date": "2026-05-03T22:00:00.000+00:00",
      "title": "CVE-2026-24120"
    },
    {
      "cve": "CVE-2026-24781",
      "product_status": {
        "known_affected": [
          "T053508",
          "T053510"
        ]
      },
      "release_date": "2026-05-03T22:00:00.000+00:00",
      "title": "CVE-2026-24781"
    },
    {
      "cve": "CVE-2026-26332",
      "product_status": {
        "known_affected": [
          "T053508",
          "T053510"
        ]
      },
      "release_date": "2026-05-03T22:00:00.000+00:00",
      "title": "CVE-2026-26332"
    },
    {
      "cve": "CVE-2026-26956",
      "product_status": {
        "known_affected": [
          "T053508",
          "T053510"
        ]
      },
      "release_date": "2026-05-03T22:00:00.000+00:00",
      "title": "CVE-2026-26956"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.