CVE-2020-15889

CRITICAL

Lua 5.4.0 - Heap-Based Buffer Over-Read in youngcollection

Title source: llm
STIX 2.1

Description

Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.

References (3)

Core 3
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://lua-users.org/lists/lua-l/2020-07/msg00078.html
Mailing List, Third Party Advisory x_refsource_misc
http://lua-users.org/lists/lua-l/2020-12/msg00157.html

Scores

CVSS v3 9.8
EPSS 0.0223
EPSS Percentile 80.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-125
Status published
Products (1)
lua/lua 5.4.0
Published Jul 21, 2020
Tracked Since Feb 18, 2026