CVE-2020-15889

CRITICAL

Lua - Out-of-Bounds Read

Title source: rule

Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.

Core 3

Core References

Exploit, Mailing List, Third Party Advisory x_refsource_misc

Patch, Third Party Advisory x_refsource_misc

Mailing List, Third Party Advisory x_refsource_misc

CVSS v3 9.8

EPSS 0.0051

EPSS Percentile 66.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-125

Status published

Products (1)

lua/lua 5.4.0

Published Jul 21, 2020

Tracked Since Feb 18, 2026