PT-2026-43297 · Algernon · Algernon
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Algernon versions prior to 1.17.6
Description
In the
engine/luahandler.go file, the sync.RWMutex protecting LoadCommonFunctions is released before the L.Push() and L.PCall() functions execute. Because the LState of gopher-lua is not goroutine-safe, concurrent requests create a race condition on the shared state, leading to Lua VM corruption.Recommendations
Update to version 1.17.6.
Exploit
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Algernon