Attack Chain

1. Attacker crafts a malicious Lua “mod” specifically designed to exploit the sandbox escape vulnerability in Luanti.
2. The malicious mod leverages weaknesses in the LuaJIT implementation within Luanti to bypass sandbox restrictions.
3. The crafted mod is loaded into a vulnerable Luanti 5 instance.
4. Upon execution of the malicious mod, the attacker gains the ability to execute arbitrary Lua code outside the intended sandbox.
5. The attacker can then utilize this escaped context to interact with the underlying operating system.
6. Using OS-level access, the attacker escalates privileges further.
7. The attacker installs persistent backdoors or other malicious software.
8. Finally, the attacker achieves complete system compromise, exfiltrates sensitive data, or causes other damage.

Impact

Successful exploitation of CVE-2026-40959 could lead to a complete compromise of systems utilizing vulnerable versions of Luanti 5 with LuaJIT. An attacker could gain unauthorized access to sensitive data, install malware, or disrupt critical services. Given the critical CVSS score of 9.3, the potential impact is high, especially in environments where Luanti is used to sandbox untrusted Lua code. The number of potential victims depends on the adoption rate of Luanti 5 and the prevalence of LuaJIT usage within those installations.

Recommendation

• Upgrade Luanti to version 5.15.2 or later to patch CVE-2026-40959.
• Monitor for the loading of unsigned or untrusted Lua mods within Luanti environments (see process_creation rule below).
• Inspect Lua mods for suspicious code patterns indicative of sandbox escape attempts (develop custom rules based on the specific LuaJIT weaknesses exploited).