2461027 – (CVE-2026-41196) CVE-2026-41196 luanti: minetest: luajit: Luanti (Minetest): Arbitrary code execution and full filesystem access via malicious mod sandbox escape

Bug 2461027 (CVE-2026-41196) - CVE-2026-41196 luanti: minetest: luajit: Luanti (Minetest): Arbitrary code execution and full filesystem access via malicious mod sandbox escape

Summary: CVE-2026-41196 luanti: minetest: luajit: Luanti (Minetest): Arbitrary code ex...

Keywords:
Status:	NEW
Alias:	CVE-2026-41196
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2461061
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-23 02:01 UTC by OSIDB Bzimport
Modified:	2026-04-23 04:38 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-23 02:01:38 UTC

Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).

Note You need to log in before you can comment on or make changes to this bug.