CVE-2026-43981: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in xyproto algernon
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6.
AI Analysis
Technical Summary
Algernon, a pure-Go web server, had a concurrency flaw in engine/luahandler.go before version 1.17.6. Specifically, the sync.RWMutex guarding LoadCommonFunctions was released prematurely before calls to L.Push() and L.PCall(), which manipulate the Lua state (LState). Since gopher-lua's LState is not safe for concurrent goroutine access, this improper synchronization leads to a race condition that corrupts the Lua virtual machine state under concurrent requests. The Go race detector confirms this behavior under moderate concurrency. The vulnerability is tracked as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and is fixed in version 1.17.6.
Potential Impact
Exploitation of this race condition can cause corruption of the Lua VM state within the algernon server, potentially leading to unpredictable behavior or denial of service. The CVSS 4.0 score of 8.2 indicates a high severity impact with network attack vector, requiring high attack complexity but no privileges or user interaction. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is available in algernon version 1.17.6. Users should upgrade to version 1.17.6 or later to remediate this race condition. No other vendor advisories or temporary mitigations are provided. Patch status is confirmed by the version information in the description.
CVE-2026-43981: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in xyproto algernon
Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6.
CVSS v4.0
Score 8.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Algernon, a pure-Go web server, had a concurrency flaw in engine/luahandler.go before version 1.17.6. Specifically, the sync.RWMutex guarding LoadCommonFunctions was released prematurely before calls to L.Push() and L.PCall(), which manipulate the Lua state (LState). Since gopher-lua's LState is not safe for concurrent goroutine access, this improper synchronization leads to a race condition that corrupts the Lua virtual machine state under concurrent requests. The Go race detector confirms this behavior under moderate concurrency. The vulnerability is tracked as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and is fixed in version 1.17.6.
Potential Impact
Exploitation of this race condition can cause corruption of the Lua VM state within the algernon server, potentially leading to unpredictable behavior or denial of service. The CVSS 4.0 score of 8.2 indicates a high severity impact with network attack vector, requiring high attack complexity but no privileges or user interaction. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is available in algernon version 1.17.6. Users should upgrade to version 1.17.6 or later to remediate this race condition. No other vendor advisories or temporary mitigations are provided. Patch status is confirmed by the version information in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T20:24:31.916Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15d22e891d628fdc600885
Added to database: 5/26/2026, 5:02:38 PM
Last enriched: 5/26/2026, 5:33:11 PM
Last updated: 5/26/2026, 9:50:11 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.