CVE-2026-43981
Deferred Deferred - Pending Action
Path Traversal in Algernon Web Server

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43981
EUVD
EUVD-2026-31866
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xyproto algernon to 1.17.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Algernon web server's Lua handler implementation. Specifically, the synchronization lock (sync.RWMutex) protecting the LoadCommonFunctions is released too early, before the Lua functions L.Push() and L.PCall() execute.

Because the Lua state (LState) used by gopher-lua is not safe for concurrent use by multiple goroutines, concurrent requests can interfere with each other when accessing this shared Lua state. This leads to corruption of the Lua virtual machine (VM).

The issue can be detected by the Go race detector under modest concurrency, such as 1000 requests with 100 concurrent connections. This vulnerability is fixed in Algernon version 1.17.6.

Impact Analysis

This vulnerability can cause corruption of the Lua virtual machine state when handling concurrent requests, which can lead to denial of service (DoS) conditions in the Algernon web server.

Because the Lua VM state becomes corrupted, the server may crash or behave unpredictably under concurrent load, impacting availability and reliability of services running on Algernon.

Detection Guidance

This vulnerability can be detected using the Go race detector tool by running the Algernon server under modest concurrency.

A suggested command to detect the race condition is to use a load testing tool such as ApacheBench (ab) with parameters to generate concurrent requests, for example: ab -n 1000 -c 100.

Running the Go race detector while performing this load test will confirm the presence of the race condition.

Mitigation Strategies

The vulnerability is fixed in Algernon version 1.17.6.

The immediate step to mitigate this vulnerability is to upgrade Algernon to version 1.17.6 or later.

There are no known workarounds for this issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart