CVE-2026-40959
Deferred Deferred - Pending Action
Lua Sandbox Escape in Luanti 5 via Crafted Mod

Publication date: 2026-04-16

Last updated on: 2026-05-19

Assigner: MITRE

Description
Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40959
EUVD
EUVD-2026-23149
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
luanti luanti to 5.15.2 (exc)
luanti luanti From 5.0.0 (inc)
luanti luanti 5.15.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40959 is a critical vulnerability in the Luanti software (formerly Minetest) versions before 5.15.2 when LuaJIT is used. It allows a malicious mod to escape the Lua sandbox environment designed to restrict mod capabilities.

This sandbox escape enables arbitrary code execution and full filesystem access on the user's device, meaning that a crafted mod can break out of its restricted environment and perform unauthorized actions.

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary code on your system and gain full access to your filesystem.

  • It affects both server-side mods (including async and mapgen) and client-side mod (CSM) environments.
  • This could lead to unauthorized data access, modification, or deletion, potentially compromising the integrity and confidentiality of your system.
  • The vulnerability requires LuaJIT to be used, so systems not using LuaJIT are not affected.
Detection Guidance

To detect if your system is vulnerable, first check the version of Luanti installed by running the command `luanti --version`. Versions before 5.15.2 are affected.

Since the vulnerability involves LuaJIT usage, verifying if LuaJIT is in use is important. The version check command helps confirm this.

There are no specific network detection commands or signatures provided for identifying exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade Luanti to version 5.15.2 or later, where the vulnerability is patched.

As a workaround for existing release versions without recompilation, you can edit the file `builtin/init.lua` to add the line `getfenv = nil` at the end. This disables the `getfenv` function, which helps prevent the sandbox escape.

Note that disabling `getfenv` may break mods that depend on this function, even though it is not inherently unsafe.

Compliance Impact

The vulnerability allows a malicious mod to escape the Lua sandbox and execute arbitrary code with full filesystem access on the user's device.

Such unauthorized code execution and potential data access could lead to breaches of confidentiality, integrity, and availability of data.

This could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart