CVE-2026-34089
Sandbox Escape in Wikimedia Scribunto
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia_foundation | scribunto | From 1.45.0 (inc) to 1.45.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34089 is a memory leak vulnerability in the Scribunto extension for MediaWiki. It occurs because Scribunto introduced a WeakMap to store engine objects, but these objects were not properly garbage collected due to a reference cycle. This causes memory to be exhausted when running jobs, especially when processing Lua modules that trigger multiple parses.
The issue was confirmed by reproducing it with a specially crafted Lua module that intentionally consumes memory. The fix involved manually breaking the reference cycle by calling the destroy() method on engine objects, allowing proper garbage collection.
How can this vulnerability impact me? :
This vulnerability can cause the runJobs.php script in MediaWiki to exhaust available memory, leading to potential service disruptions or degraded performance. Systems running vulnerable versions of Scribunto may experience memory exhaustion when processing certain Lua modules, which can impact the stability and reliability of the MediaWiki installation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the memory usage of the runJobs.php script in the Scribunto extension for MediaWiki. A memory leak caused by a reference cycle in engine objects leads to memory exhaustion, especially when processing Lua modules that trigger multiple parses.
Detection can involve reproducing the issue using a specially crafted Lua module that intentionally consumes memory, as was done to confirm the vulnerability.
- Monitor memory usage of runJobs.php using commands like: `ps aux | grep runJobs.php` or `top`/`htop` to observe memory consumption over time.
- Use `strace` or similar tools to trace system calls and memory allocations of the runJobs.php process.
- Check MediaWiki logs for errors or warnings related to memory exhaustion during job processing.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Scribunto extension to a version later than 1.45.2 where the vulnerability has been fixed by applying patches that manually call the destroy() method on engine objects to break the reference cycle and allow proper garbage collection.
If updating is not immediately possible, monitor and limit the memory usage of the runJobs.php script to prevent exhaustion, and avoid running Lua modules that trigger multiple parses or are known to consume excessive memory.
Review and apply any patches available for your current Scribunto version, especially those addressing the destroyEngineForParser() function.