Description
Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This vulnerability is associated with program files ldo.C.

This issue affects perf-ninja.
Published: 2026-03-24
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability represents an improper control over code generation, allowing an attacker to hijack the Lua interpreter by injecting crafted bytecode. The result is arbitrary code execution within the context of the perf-ninja application, potentially compromising confidentiality, integrity, and availability of the entire system. The weakness is classified as CWE‑94, which confirms that code injection can occur when untrusted input is used to generate or execute program code.

Affected Systems

The affected product is dendibakh's perf‑ninja, specifically the Lua modules under labs/misc/pgo/lua. No specific version numbers are listed in the CNA data; the issue appears in the current codebase as referenced in pull request 129.

Risk and Exploitability

The CVSS score of 10 indicates a critical level of risk. Exploit probability data (EPSS) is not available, and the vulnerability is not catalogued in CISA’s KEV list. Based on the description, the failure to control bytecode generation suggests that an attacker who can supply or modify Lua bytecode—potentially through local file manipulation or networked input to the perf‑ninja service—can trigger arbitrary code execution. No additional exploitation prerequisites are detailed, but the severity implies that any successful injection would have system‑wide impact.

Generated by OpenCVE AI on March 24, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Merge the fix from pull request 129 into your perf‑ninja deployment to replace the vulnerable ldo.C module

Generated by OpenCVE AI on March 24, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dendibakh
Dendibakh perf-ninja
Vendors & Products Dendibakh
Dendibakh perf-ninja

Tue, 24 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This vulnerability is associated with program files ldo.C. This issue affects perf-ninja.
Title Arbitrary Code Execution via Crafted Bytecode in dendibakh/perf-ninja
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:D/RE:L/U:Amber'}

Subscriptions

Dendibakh Perf-ninja
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-03-24T18:22:15.123Z

Reserved: 2026-03-24T03:27:05.370Z

Link: CVE-2026-4745

cve-icon Vulnrichment

Updated: 2026-03-24T18:22:11.921Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T05:16:25.777

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:14Z

Weaknesses