CVE-2022-35978

HIGH

Minetest < 5.6.0 - Unauthenticated Protection Mechanism Failure via Global Setting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-35978. PoCs published by CanVo.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2022-35978, which leverages an unsandboxed Lua environment in Minetest to execute arbitrary commands when the game exits to the main menu. The exploit demonstrates privilege escalation by creating a backdoor user with administrative privileges on Windows.

Description

Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.

Exploits (1)

nomisec WORKING POC

by CanVo · poc

https://github.com/CanVo/CVE-2022-35978-POC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2022-35978, which leverages an unsandboxed Lua environment in Minetest to execute arbitrary commands when the game exits to the main menu. The exploit demonstrates privilege escalation by creating a backdoor user with administrative privileges on Windows.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Minetest versions up to and including 5.5.1

No auth needed

Prerequisites: Minetest installed on Windows · Game run as Administrator for full impact

MITRE ATT&CK

T1059.001 - PowerShell T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_confirm

https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc

Patch, Third Party Advisory x_refsource_misc

https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13

View Patch ZIP pw:eip

Release Notes, Vendor Advisory x_refsource_misc

https://dev.minetest.net/Changelog#5.5.0_.E2.86.92_5.6.0

Scores

CVSS v3 7.7

EPSS 0.0220

EPSS Percentile 80.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-693

Status published

Products (1)

minetest/minetest < 5.6.0

Published Aug 15, 2022

Tracked Since Feb 18, 2026