CVE-2020-15888

HIGH EPSS 82.3%
Published Jul 21, 20205y ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Jul 21, 2020 5y ago
Last Modified Jun 17, 2026 2w ago

Description

Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
82.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 3

CWE-125 Out-of-bounds Read Memory Safety
CWE-416 Use After Free Memory Safety
CWE-787 Out-of-bounds Write Memory Safety

Affected Products 1

VendorProductVersionRange
lualua5.4.0any

References 6

  • lua-users.org http://lua-users.org/lists/lua-l/2020-07/msg00053.html
    ExploitMailing ListThird Party Advisory
  • lua-users.org http://lua-users.org/lists/lua-l/2020-07/msg00054.html
    ExploitMailing ListThird Party Advisory
  • lua-users.org http://lua-users.org/lists/lua-l/2020-07/msg00071.html
    ExploitMailing ListThird Party Advisory
  • lua-users.org http://lua-users.org/lists/lua-l/2020-07/msg00079.html
    ExploitMailing ListThird Party Advisory
  • github.com https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
    PatchThird Party Advisory
  • github.com https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
    PatchThird Party Advisory
  • github.com https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5
    PatchThird Party Advisory