CVE-2026-43981

UNKNOWN 0.0

Algernon: Race Condition in handle() shared LState

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

12th

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6.

CWE	CWE-362
Vendor	xyproto
Product	algernon
Published	May 26, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for xyproto algernon

Be the first to know when new unknown vulnerabilities affecting xyproto algernon are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

xyproto / algernon

< 1.17.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/xyproto/algernon/security/advisories/GHSA-rr2f-4wrm-h6rg github.com: https://github.com/xyproto/algernon/issues/172