A race condition exists in the Algernon web server where the sync.RWMutex protecting the LoadCommonFunctions is released before the L.Push() and L.PCall() operations on a gopher‑lua LState. Because the LState is not goroutine‑safe, concurrent requests can access it simultaneously, leading to corruption of the Lua virtual machine. This flaw is a classic concurrency bug (CWE‑362) that can cause application crashes or potentially allow malicious actors to corrupt execution flow. The impact is primarily a disruption of service, although in a loosely specified environment it could extend to more severe failures if arbitrary Lua code can be executed.

The affected product is the Algernon web server (xyproto:algernon) in all versions prior to 1.17.6. Any deployment running these versions may experience the race condition when handling concurrent HTTP requests that invoke Lua handlers.

The CVSS score of 8.2 classifies this vulnerability as high severity. EPSS data is not available, and the entry is not listed in the CISA KEV catalog, though the issue is known to a public security advisory. The likely attack vector is through normal or malicious concurrent traffic to the web server’s Lua‑enabled endpoints; attackers could trigger the race by sending multiple requests from different clients. Failures typically manifest as service crashes or corrupted Lua VM state, and the exploitation conditions are realistic in high‑traffic or poorly throttled environments. The combination of high severity and readily available attack surface results in a significant risk that warrants prompt mitigation.