Skip to main content

Luanti CVE-2026-40959

| EUVDEUVD-2026-23149 CRITICAL
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-04-16 mitre
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Patch released
Apr 17, 2026 - 15:38 nvd
Patch available
Analysis Updated
Apr 16, 2026 - 05:32 vuln.today
v3 (patch_released)
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5.15.2
Analysis Updated
Apr 16, 2026 - 01:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 01:38 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 01:19 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 01:15 euvd
EUVD-2026-23149
Analysis Generated
Apr 16, 2026 - 01:15 vuln.today
CVE Published
Apr 16, 2026 - 00:51 nvd
CRITICAL 9.3

DescriptionCVE.org

Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.

AnalysisAI

Lua sandbox escape in Luanti 5.x (formerly Minetest) game engine allows malicious mod code to break out of LuaJIT security restrictions and execute arbitrary code on the host system. Affects all Luanti 5.0.0 through 5.15.1 when compiled with LuaJIT instead of standard Lua. Attackers with ability to distribute crafted mods can achieve complete system compromise with scope change (S:C in CVSS), escalating from sandboxed mod execution to full host access. No authentication required but local access needed (AV:L). Patch available in version 5.15.2 via two upstream commits. EPSS data not available; no confirmed active exploitation or public POC at time of analysis.

Technical ContextAI

Luanti (previously known as Minetest) is an open-source voxel game engine written in C++ that uses Lua scripting for game logic and mod support. The engine supports both standard Lua and LuaJIT (Just-In-Time compiler variant) as scripting backends. LuaJIT provides performance benefits but has historically presented unique security challenges for sandboxing due to its FFI (Foreign Function Interface) capabilities and JIT compilation mechanisms. This vulnerability (CWE-829: Inclusion of Functionality from Untrusted Control Sphere) specifically affects the LuaJIT implementation's sandbox, which is designed to isolate mod code from the host operating system. The sandbox escape allows malicious Lua code within a mod to bypass security boundaries and access system-level functionality that should be restricted. The CVSS scope change (S:C) indicates the vulnerable component (LuaJIT sandbox) operates at a different privilege level than the impacted component (host system), confirming genuine privilege escalation beyond the intended mod execution context.

RemediationAI

Upgrade to Luanti 5.15.2 or later, which contains the complete fix implemented in commits 8a929dfb97aa08337f49ba1bb96a56d6557dc896 and 53cef183e2a85a4daff84ac1a9a7946f940da8f8 available at https://github.com/luanti-org/luanti. If immediate upgrade is not feasible, recompile Luanti with standard Lua interpreter instead of LuaJIT - this eliminates the vulnerable code path entirely but may reduce mod execution performance by 2-5x depending on workload. For production multiplayer servers unable to upgrade immediately, implement strict mod vetting: only load mods from trusted sources with code review, disable automatic mod downloading, and run the game engine in a sandboxed environment (container, VM, or restricted user account) to limit blast radius of successful sandbox escape. Note that switching to standard Lua may break mods with LuaJIT-specific dependencies or performance assumptions. Operators of public servers accepting user-uploaded mods should treat this as a critical-priority patch due to the trivial social engineering path (malicious mod distribution).

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-40959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy