Skip to main content

Luanti CVE-2026-41196

| EUVDEUVD-2026-25154 CRITICAL
Code Injection (CWE-94)
2026-04-23 GitHub_M
Critical
Disputed · 9.0 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
GitHub Advisory PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.0 MEDIUM
qualitative
Red Hat
8.2 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch released
Apr 24, 2026 - 14:50 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 06:45 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
CVSS changed
Apr 23, 2026 - 02:35 NVD
9.0 (CRITICAL)
EUVD ID Assigned
Apr 23, 2026 - 01:15 euvd
EUVD-2026-25154
Analysis Generated
Apr 23, 2026 - 01:15 vuln.today
CVE Published
Apr 23, 2026 - 00:28 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing builtin/init.lua and adding the line getfenv = nil at the end. Note that this will break mods relying on this function (which is not inherently unsafe).

AnalysisAI

Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.

Technical ContextAI

Luanti (formerly Minetest) is an open-source voxel game engine written in C++ with a Lua scripting API for mods. The platform implements a sandbox to isolate mod code execution from the underlying system. This vulnerability (CWE-94: Improper Control of Generation of Code) exploits the 'getfenv' function in LuaJIT implementations to break sandbox boundaries. LuaJIT is a just-in-time compiler for Lua that provides performance optimizations but exposes unsafe primitives when not properly restricted. The affected CPE cpe:2.3:a:luanti-org:luanti includes all versions from 5.0.0 to 5.15.1. The flaw exists across multiple Lua execution contexts: server-side mods (which run on game servers), asynchronous/mapgen environments (used for world generation), and client-side mods (CSM, which execute on player devices). The root cause is insufficient neutralization of the 'getfenv' function, which allows access to function environments outside the sandbox, enabling arbitrary native code execution through LuaJIT's FFI capabilities.

RemediationAI

Upgrade to Luanti version 5.15.2 or later, which contains the vendor-released patch available at https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896. For users unable to immediately upgrade release versions 5.0.0-5.15.1, apply the interim mitigation by editing builtin/init.lua and adding 'getfenv = nil' at the end of the file, then restarting the server/client. Note this workaround will break any legitimate mods that rely on getfenv functionality, requiring compatibility testing before deployment in production environments. Alternative compensating control: recompile Luanti without LuaJIT support, using the standard Lua interpreter instead, which eliminates the vulnerable code path but reduces scripting performance by approximately 2-5x. For server operators, restrict mod installation privileges to trusted administrators only and implement mod code review processes, though these controls only reduce attack surface and do not eliminate the vulnerability. Review all installed mods for suspicious filesystem access patterns or unusual native library loading as potential indicators of exploitation attempts.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-41196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy