CVE-2026-26956 - vm2: WASM Sandbox Escape (Node 25 only)

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

https://app.opencve.io/cve/CVE-2026-26956

No idea. I have two accounts, one on Lemmy, one on Mastodon. Presumably somebody is mirroring this community to Mastodon, or perhaps the other way around, I’m not sure.

I’m typing this on Lemmy, not Mastodon.

The issue is not packaging, it’s users circumventing security out of ignorance, willful or not, still ignorance.

As Linux gains popularity, the users will need to learn, often the hard way, how to go about installing stuff. Running a random script off the internet is not how it’s done.

Uhm … no.

Linux had permissions from day one, neither Windows nor Apple did until much more recently.

I use Apple, since there’s many versions of its OS and only¹ the one based on BSD has permissions.

The entire Linux ecosystem is permissions based, it’s baked into the kernel and while bugs continue to be discovered and patched, they’re visible to everyone, where that’s not the case with either Windows nor Apple.

Permissions aren’t new. Unix has had them from the early days, as have operating systems like VMS, BSD and OS/400 to name a few.

As for exploits, the level of user social engineering exploits is exploding with the growth of Linux, since most new users come from operating systems with poor security.

In my opinion Mac OS is hurting itself by making inexplicable security choices, causing pain where none is required, resulting in people actively disabling security to their own detriment.

As for actual exploits, they’re getting more and more ubiquitous since more and more operating systems are running the same code, think python, nginx, bash, etc.

Finally, I’d point out that your attempt at dispelling what you call a myth does not appear to be backed up by facts or sources.

I’ve been in this industry for over 40 years and while it’s far from perfect, I am comfortable stating that Linux is more secure than many operating systems and I suspect that it will continue to be the case for the foreseeable future.

I also note that it has a significantly larger user base than any other OS. Don’t believe me? Heard of Android, same Linux kernel.

¹ There was a brief A/UX hybrid OS that had permissions, based on Unix System V and BSD. It was discontinued in 1995.

https://xkcd.com/927/

Not sure what you mean. When I click the link on my post, it goes to where I intended. Note that I removed an errant period at the end of the URL about an hour ago.

Edit: Well this is getting weird. I tested it three times, now it goes to a redirect page that does require the period.

Edit: I think I nailed it third time around.

Thank you, fixed.

I think that it’s going to take societal change to stop this from being the norm. In Australia there was a road safety campaign with the slogan:

“Speeding. No one thinks big of you.”

It essentially compared speeding with having a small penis, by using the metaphor of a wiggling pinkie, and thus embarrassing perpetrators.

In other words, it needs to become uncool to drive such a massive vehicle. Perhaps “The bigger the trick, the smaller the …”

https://en.wikipedia.org/wiki/Speeding._No_one_thinks_big_of_you.

Edit: Removed stray period.

Edit: Added non stray period back and changed how I entered the URL. Fingers crossed this works. Remind me again why I work in IT.

If you’re not going to show the source code, there’s absolutely no point in using GitHub.

As for getting paid, I hadn’t seen gumroad before, nice, but failing the access to the source, it’s unlikely I’d buy/pay for unknown software and install it sight unseen on anything I care about.

From a security perspective, in my opinion this is a disaster waiting to happen.

Some reasons:

We don’t (yet) have flexible panels that would survive the abuse that curtains experience.

Vertical surfaces are not nearly as effective for the majority of cases in capturing solar radiation.

Windows have lots of obstructions that reduce the effectiveness of a solar panel.

Putting solar panels behind an extra layer of glass that would need to be kept pristine would be counter productive.

The voltages involved in solar panels would create an added source of danger inside the house.

Pandoc will convert markdown to a PDF in portrait or landscape and there’s even “beamer” support, aka data projector or presentation support.

Why run Docker Desktop when it’s installable as a cli service?

What are you actually trying to achieve?

By that logic Sea Eagles are pretty much 100% fish.

It’s not too late.

As a creator, I’d be much more interested in a way to get paid into my actual bank account in such a way that didn’t involve Bitcoin (et. al.), PayPal or Stripe.

Tah. I’ll have a look see.

Not sure how, or if, I’d want to install an Arch package under Debian, but it’s my understanding that the package I’ve raised a bug for under Debian implements, or is supposed to at least, the functionality you’re describing.

What I haven’t found is a recipe that documents exactly how it’s supposed to work (not to mention, in a Debian way).

I’d love to discover something that doesn’t start with instructions to remove all pipewire packages and install from source, since that completely defeats the purpose of running Debian Stable as the host.

In my adventures I did look at this, but it appears to require that you install support for this inside the guest, which is possible for modern guests, but not for ancient ones like say Debian Wheezy or Win98se.

I’d be surprised if they had been updated at all after their installation was signed off.