CVE-2026-41196

EUVD-2026-25154
Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
minetestminetest
5.0.0 ≤
𝑥
< 5.15.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
luanti
forky
5.15.2+dfsg-2
fixed
sid
5.15.2+dfsg-2
fixed
trixie
5.10.0+dfsg-5+deb13u1
fixed
trixie (security)
5.10.0+dfsg-5+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
luanti
jammy
dne
noble
dne
questing
needs-triage
resolute
needs-triage
minetest
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
dne
resolute
dne
xenial
ignored
Common Weakness Enumeration
References
https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896
https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3