CVE-2020-15888

Summary

CVE	CVE-2020-15888
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-07-21 22:15:00 UTC
Updated	2023-05-16 22:31:00 UTC
Description	Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.

Risk And Classification

Problem Types: CWE-125 | CWE-787 | CWE-416

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Lua	Lua	5.4.0	-	All	All
Application	Lua	Lua	All	All	All	All

References

Reference	Source	Link	Tags
Heap overflow in luaH_get	MISC	lua-users.org	Exploit, Mailing List, Third Party Advisory
heap-buffer-overflow in luaD_pretailcall	MISC	lua-users.org	Exploit, Mailing List, Third Party Advisory
Keep minimum size when shrinking a stack · lua/lua@6298903 · GitHub	MISC	github.com	Patch, Third Party Advisory
Heap overflow in luaT_adjustvarargs	MISC	lua-users.org	Exploit, Mailing List, Third Party Advisory
Fixed bugs of stack reallocation x GC · lua/lua@eb41999 · GitHub	MISC	github.com	Patch, Third Party Advisory
Heap use after free in luaD_call	MISC	lua-users.org	Exploit, Mailing List, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

296071 Oracle Solaris 11.4 Support Repository Update (SRU) 27.82.1 Missing (CPUOCT2020)
900048 CBL-Mariner Linux Security Update for lua 5.3.5
901479 Common Base Linux Mariner (CBL-Mariner) Security Update for lua (6670-1)
903157 Common Base Linux Mariner (CBL-Mariner) Security Update for lua (2657)