Concurrency Issue in Algernon Web Server by XYPROTOCOL
CVE-2026-43981

8.2HIGH

Key Information:

Vendor: Xyproto
Status: Algernon
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-43981?

Algernon, a Go-based web server, faces a significant concurrency issue prior to version 1.17.6. In its engine/luahandler.go code, the synchronization mechanism (sync.RWMutex) is released too early during the execution of Lua virtual machine functions, specifically during L.Push() and L.PCall(). This premature release can lead to a race condition in which multiple concurrent requests interact with a shared Lua state, resulting in potential corruption of the Lua VM. The Go race detector highlights this vulnerability with ease under moderate concurrent loads, validating the risk for users of the affected versions. The issue has been addressed and resolved in version 1.17.6.

Affected Version(s)

algernon < 1.17.6

References

https://github.com/xyproto/algernon/security/advisories/G...

x_refsource_CONFIRM

https://github.com/xyproto/algernon/issues/172

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43981 Data

JSON

Xyproto

What is CVE-2026-43981?

Affected Version(s)

References

CVSS V4

Timeline