PT-2026-43297 · Algernon · Algernon

·

CVE-2026-43981

·

Published

2026-05-26

·

Updated

2026-05-26

CVSS v4.0

8.2

High

VectorAV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.6
Description In the engine/luahandler.go file, the sync.RWMutex protecting LoadCommonFunctions is released before the L.Push() and L.PCall() functions execute. Because the LState of gopher-lua is not goroutine-safe, concurrent requests create a race condition on the shared state, leading to Lua VM corruption.
Recommendations Update to version 1.17.6.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43981
GHSA-RR2F-4WRM-H6RG

Affected Products

Algernon