CVE-2026-43981 Overview
CVE-2026-43981 is a race condition vulnerability in Algernon, a small self-contained pure-Go web server. The flaw exists in engine/luahandler.go where the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Because gopher-lua's LState is explicitly not goroutine-safe, concurrent HTTP requests race on the shared Lua state. The race triggers Lua virtual machine (VM) corruption under modest concurrency, confirmed by the Go race detector using ab -n 1000 -c 100. The vulnerability is tracked as [CWE-362] and is fixed in Algernon 1.17.6.
Critical Impact
Concurrent requests corrupt the shared Lua VM state, leading to denial-of-service conditions and unpredictable handler behavior on Algernon servers prior to 1.17.6.
Affected Products
- Algernon web server versions prior to 1.17.6
- Applications embedding the affected engine/luahandler.go Lua handler
- Deployments using gopher-lua LState under concurrent HTTP load
Discovery Timeline
- 2026-05-26 - CVE-2026-43981 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-43981
Vulnerability Analysis
The vulnerability resides in the Algernon Lua handler implementation. The handler uses a sync.RWMutex to serialize access to a shared gopher-lua LState while loading common functions. However, the mutex is released too early, before L.Push() pushes arguments onto the Lua stack and before L.PCall() invokes the protected call. Concurrent goroutines servicing HTTP requests then operate on the same LState without synchronization.
gopher-lua documents LState as non goroutine-safe. Concurrent stack manipulation corrupts internal Lua VM structures, including the value stack, call frames, and registry references. The Go race detector flags the violation immediately under the test load ab -n 1000 -c 100. Observed effects include process crashes, panics, and inconsistent script output across requests.
Root Cause
The root cause is a synchronization lifecycle error categorized as [CWE-362] Concurrent Execution using Shared Resource with Improper Synchronization. The lock scope does not cover the full critical section. Releasing the mutex before Push and PCall complete leaves shared mutable state exposed to data races between request-handling goroutines.
Attack Vector
A remote unauthenticated attacker sends concurrent HTTP requests to any endpoint served by the affected Lua handler. No authentication or user interaction is required. Modest concurrency is sufficient to trigger the race. The integrity and confidentiality of network traffic are not directly affected, but service availability degrades as the Lua VM corrupts and the server panics.
The vulnerability manifests through the early mutex release in engine/luahandler.go. For exact diff context, refer to the GitHub Security Advisory GHSA-rr2f-4wrm-h6rg and GitHub Issue #172.
Detection Methods for CVE-2026-43981
Indicators of Compromise
- Unexplained Algernon process panics or crashes referencing gopher-lua stack frames
- Go runtime data race warnings emitted when the server is built with the -race flag
- Inconsistent or truncated responses from Lua-backed endpoints during periods of concurrent load
Detection Strategies
- Run Algernon with the Go race detector enabled in pre-production and replay traffic with ab -n 1000 -c 100 to surface the race
- Inventory deployed Algernon binaries and compare versions against the fixed release 1.17.6
- Monitor application logs for repeated Lua runtime errors correlated with concurrent request bursts
Monitoring Recommendations
- Alert on Algernon process restarts and unexpected exit codes through host-based telemetry
- Track request concurrency metrics against error rates on Lua-handled routes
- Capture stack traces from crashed Algernon instances and review for gopher-lua frames
How to Mitigate CVE-2026-43981
Immediate Actions Required
- Upgrade Algernon to version 1.17.6 or later, which contains the corrected mutex scope
- Restart Algernon services after upgrade to ensure the patched binary is active
- Audit reverse proxy and load balancer configurations to identify exposed Algernon endpoints
Patch Information
The maintainer released the fix in Algernon 1.17.6. The patch extends the sync.RWMutex critical section to cover L.Push() and L.PCall(), eliminating the data race on the shared LState. See the GitHub Security Advisory GHSA-rr2f-4wrm-h6rg for the canonical advisory.
Workarounds
- Limit concurrent connections to Algernon at the reverse proxy or load balancer until upgrade is possible
- Restrict access to Lua-handled routes through network ACLs or authentication front-ends
- Disable Lua handler functionality if it is not required for the deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
