CVE-2026-40959
Published: 16 April 2026
Summary
CVE-2026-40959 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Vendor patches in Luanti 5.15.2 directly remediate the LuaJIT sandbox escape vulnerability exploited by crafted mods.
Enforces software-based separation and policy between untrusted Lua mod execution and host system resources, directly preventing sandbox escapes.
Prohibits or restricts user-installed crafted mods that serve as the attack vector for the sandbox escape.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables Lua sandbox escape via crafted mod in client game engine, directly facilitating T1203 (Exploitation for Client Execution), T1059.011 (Lua), and T1068 (Exploitation for Privilege Escalation) with scope change to full host access.
NVD Description
Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.
Deeper analysisAI
CVE-2026-40959 is a high-severity vulnerability (CVSS 3.1 score of 9.3) affecting Luanti 5 versions prior to 5.15.2 when compiled with LuaJIT. It enables a Lua sandbox escape through a crafted mod, stemming from CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The issue was published on 2026-04-16 and arises in environments where untrusted Lua code is executed within a sandboxed context provided by Luanti, a Lua-based game engine.
An unprivileged local attacker (AV:L, PR:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows scope change (S:C), granting high-impact access to confidentiality (C:H), integrity (I:H), and availability (A:H) on the host system by breaking out of the Lua sandbox via the malicious mod.
Mitigation is available through patches in Luanti commits 53cef183e2a85a4daff84ac1a9a7946f940da8f8 and 8a929dfb97aa08337f49ba1bb96a56d6557dc896, which address the sandbox escape. Additional details are provided in the Luanti security advisory at GHSA-g596-mf82-w8c3. Security practitioners should upgrade to Luanti 5.15.2 or later and avoid LuaJIT if sandboxing untrusted mods is required.
Details
- CWE(s)