CVE-2026-41196 Overview
CVE-2026-41196 is a critical sandbox escape vulnerability affecting Luanti (formerly Minetest), an open source voxel game-creation platform. The vulnerability allows a malicious mod to trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This affects multiple execution environments including server-side mod, async, mapgen, and client-side (CSM) environments.
The vulnerability is only exploitable when using LuaJIT as the Lua interpreter. Given that LuaJIT is commonly used for its performance advantages in game engines, this significantly increases the attack surface for Luanti installations.
Critical Impact
A malicious mod can escape the Lua sandbox to achieve arbitrary code execution with full filesystem access, potentially leading to complete system compromise.
Affected Products
- Luanti (formerly Minetest) versions 5.0.0 through 5.15.1
- Installations using LuaJIT as the Lua interpreter
- Server-side mod, async, mapgen, and client-side (CSM) environments
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41196 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41196
Vulnerability Analysis
This vulnerability is classified as Code Injection (CWE-94), where improper control of code generation allows attackers to inject and execute malicious code. The core issue lies in the Lua sandbox implementation when running under LuaJIT, where the getfenv function can be abused to escape the sandboxed environment.
In a properly sandboxed Lua environment, mod code should be isolated from the host system and restricted to only approved API functions. However, the presence of the getfenv function in LuaJIT environments provides a mechanism for malicious mods to access function environments and traverse up the call stack to reach unsandboxed code, effectively bypassing all security restrictions.
The impact is severe: successful exploitation grants an attacker arbitrary code execution capabilities and full filesystem access on the target system. This could enable data exfiltration, malware installation, persistence mechanisms, or lateral movement within a network.
Root Cause
The root cause of this vulnerability is the exposure of the getfenv function within the LuaJIT execution environment. While getfenv is a standard Lua 5.1 function that returns the environment of a given function, its presence in a sandboxed environment creates a security boundary violation.
LuaJIT, being largely compatible with Lua 5.1, includes this function by default. The Luanti sandbox implementation did not properly restrict access to getfenv, allowing mod code to manipulate function environments and escape the intended security boundaries. The standard PUC-Rio Lua interpreter (versions 5.2+) removed this function, which is why the vulnerability specifically affects LuaJIT configurations.
Attack Vector
The attack vector is network-based, requiring low privileges (an authenticated user) but no user interaction. An attacker can exploit this vulnerability by:
- Creating a malicious mod that utilizes the getfenv function to access the function environment
- Traversing the call stack to locate and access unsandboxed code or global tables
- Using the escaped environment to execute arbitrary system commands or access the filesystem
- Distributing the malicious mod through community channels or mod repositories
The vulnerability affects both server-side and client-side environments, meaning both server operators installing malicious mods and players connecting to malicious servers could be compromised. The attack requires the victim to load the malicious mod, which can occur naturally through normal gameplay when joining a server with custom mods enabled.
Detection Methods for CVE-2026-41196
Indicators of Compromise
- Unusual system process spawning from the Luanti game process
- Unexpected file system access or modifications outside of the Luanti data directory
- Presence of mods containing calls to getfenv function in Lua code
- Network connections originating from the Luanti process to unexpected destinations
- Anomalous CPU or memory usage patterns from the game process
Detection Strategies
- Monitor for Lua mods containing getfenv function calls by scanning mod files before installation
- Implement file integrity monitoring on the Luanti installation and builtin/init.lua file
- Review installed mods for suspicious code patterns that attempt environment manipulation
- Deploy endpoint detection solutions to monitor for unusual child processes spawned by Luanti
Monitoring Recommendations
- Enable logging for file system operations performed by the Luanti process
- Monitor network traffic from Luanti installations for command-and-control communications
- Implement behavioral analysis to detect sandbox escape attempts in real-time
- Track mod installations and changes across managed Luanti deployments
How to Mitigate CVE-2026-41196
Immediate Actions Required
- Upgrade Luanti to version 5.15.2 or later immediately
- Audit all installed mods for suspicious use of getfenv function
- Apply the manual patch to builtin/init.lua if immediate upgrade is not possible
- Remove any untrusted or unverified mods from your installation
Patch Information
Version 5.15.2 of Luanti contains the official patch for this vulnerability. The fix is available in the commit 8a929dfb97aa08337f49ba1bb96a56d6557dc896. Organizations should prioritize upgrading to this version or applying the manual workaround.
For detailed technical information about this vulnerability, refer to the GitHub Security Advisory GHSA-g596-mf82-w8c3.
Workarounds
- Edit builtin/init.lua and add the line getfenv = nil at the end of the file to neutralize the vulnerable function
- Only install mods from trusted and verified sources
- Consider switching from LuaJIT to standard Lua interpreter if performance allows, as this vulnerability only affects LuaJIT
- Implement network segmentation to limit potential lateral movement if a system is compromised
# Manual patch for release versions (apply to builtin/init.lua)
echo "getfenv = nil" >> /path/to/luanti/builtin/init.lua
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
