Nixpkgs security tracker
Dismissed
(not in Nixpkgs)
Permalink
CVE-2026-24118
9.8 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse dismissed (not in Nixpkgs)
VM2 Sandbox Breakout Through __lookupGetter__
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.
References
-
https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p x_refsource_CONFIRMexploit
-
https://github.com/patriksimek/vm2/releases/tag/v3.11.0 x_refsource_MISC
Affected products
vm2
- ==< 3.11.0
Matching in nixpkgs
pkgs.lvm2
Tools to support Logical Volume Management (LVM) on Linux
pkgs.lvm2_vdo
Tools to support Logical Volume Management (LVM) on Linux
pkgs.lvm2_dmeventd
Tools to support Logical Volume Management (LVM) on Linux
pkgs.docker-machine-kvm2
KVM2 driver for docker-machine
-
nixos-25.11 kvm2-1.37.0
- nixos-25.11-small kvm2-1.37.0
- nixpkgs-25.11-darwin kvm2-1.37.0
Package maintainers
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@ajs124 Andreas Schrägle <nix@ajs124.de>
-
@AtkinsChang Atkins Chang <atkinschang+nixpkgs@gmail.com>
-
@tadfisher Tad Fisher <tadfisher@gmail.com>