CVE-2026-43981 xyproto CVE debrief

Who should care

Organizations running Algernon web servers with Lua scripting enabled, particularly those handling concurrent requests. DevOps teams managing Go-based web infrastructure. Security teams monitoring for availability-impacting race conditions in interpreted language embeddings.

Technical summary

The vulnerability stems from incorrect mutex lifecycle management in Algernon's Lua handler. The sync.RWMutex is unlocked before gopher-lua state manipulation completes, violating gopher-lua's thread-safety requirements. Under concurrent HTTP requests (demonstrated with 100 concurrent connections), multiple goroutines race on the shared LState, causing memory corruption and VM instability. The fix in 1.17.6 extends mutex coverage to encompass the complete L.Push() and L.PCall() execution window.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Algernon to version 1.17.6 or later to eliminate the race condition
• If immediate patching is not possible, limit concurrent request handling to single-threaded operation or implement request serialization for Lua-handled endpoints
• Enable Go race detector in staging environments to identify similar concurrency issues: `go run -race` or `go test -race`
• Review custom Lua handler implementations for similar premature unlock patterns
• Monitor application logs for Lua VM crashes or corruption indicators that may signal exploitation attempts

Evidence notes

CVE description confirms race condition in engine/luahandler.go with premature RWMutex release before L.Push()/L.PCall(). Go race detector validation cited. Fix version 1.17.6 confirmed. CVSS 4.0 vector AV:N/AC:H/AT:N/PR:N/UI:N/VA:H indicates network-accessible, high attack complexity, no privileges required, high availability impact. CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) classified by GitHub Security Advisories.

Official resources