Skip to main content

Lua

12 CVEs product

Monthly

CVE-2022-33099 HIGH POC PATCH This Week

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Buffer Overflow Lua Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.5%
CVE-2022-28805 CRITICAL POC PATCH Act Now

singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Lua Fedora
NVD GitHub
CVSS 3.1
9.1
EPSS
2.9%
CVE-2021-43519 MEDIUM POC PATCH This Month

Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Lua Fedora
NVD
CVSS 3.1
5.5
EPSS
1.1%
CVE-2020-24371 MEDIUM POC PATCH This Month

lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Lua
NVD GitHub
CVSS 3.1
5.3
EPSS
1.8%
CVE-2020-24370 MEDIUM POC PATCH This Month

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Integer Overflow Lua Fedora Debian Linux
NVD GitHub
CVSS 3.1
5.3
EPSS
3.8%
CVE-2020-24369 HIGH POC PATCH This Week

ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Lua
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-24342 HIGH POC PATCH This Week

Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Lua Fedora
NVD GitHub
CVSS 3.1
7.8
EPSS
1.1%
CVE-2020-15945 MEDIUM POC PATCH This Month

Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Lua
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2020-15889 CRITICAL POC PATCH Act Now

Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Lua
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-15888 HIGH POC PATCH This Week

Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Lua
NVD GitHub
CVSS 3.1
8.8
EPSS
2.4%
CVE-2019-6706 HIGH POC PATCH THREAT This Week

Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Use After Free Memory Corruption Lua Ubuntu Linux
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
17.2%
CVE-2014-5461 MEDIUM POC PATCH THREAT This Month

Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.6%.

Denial Of Service Buffer Overflow Opensuse Ubuntu Linux Debian Linux +2
NVD
CVSS 2.0
5.0
EPSS
10.6%
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Buffer Overflow Lua +1
NVD GitHub
EPSS 3% CVSS 9.1
CRITICAL POC PATCH Act Now

singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Lua +1
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Lua Fedora
NVD
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Lua
NVD GitHub
EPSS 4% CVSS 5.3
MEDIUM POC PATCH This Month

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Integer Overflow Lua +2
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Lua
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Lua Fedora
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Lua
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Lua
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Lua
NVD GitHub
EPSS 17% CVSS 7.5
HIGH POC PATCH THREAT This Week

Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Use After Free Memory Corruption +2
NVD GitHub Exploit-DB
EPSS 11% CVSS 5.0
MEDIUM POC PATCH THREAT This Month

Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.6%.

Denial Of Service Buffer Overflow Opensuse +4
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy