CVE-2020-15888

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15888
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15888.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-15888
Aliases
Downstream
Related
Published
2020-07-21T22:15:12Z
Modified
2025-10-21T05:41:40.966618Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.

References

Affected packages

Git / github.com/lua/lua

Affected ranges

Type
GIT
Repo
https://github.com/lua/lua
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6298903e35217ab69c279056f925fb72900ce0b7
Fixed
eb41999461b6f428186c55abd95f4ce1a76217d5

Affected versions

v1.*

v1.2

v2.*

v2.1
v2.2
v2.3-beta
v2.4
v2.4-beta
v2.5
v2.5-beta
v2.5.1

v3.*

v3.0
v3.0-alpha
v3.1
v3.1-alpha
v3.2
v3.2-beta

v4.*

v4.0
v4.0-alpha
v4.0-beta
v4.1-alpha

v5.*

v5.0
v5.0-alpha
v5.0-beta
v5.1
v5.1-alpha
v5.1-beta
v5.1.1
v5.2-alpha
v5.2-beta
v5.2.0
v5.2.1
v5.2.2
v5.3-alpha
v5.3-beta
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4-alpha
v5.4-beta
v5.4-w2
v5.4.0

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "130386227620455140858146550303983838314",
                "53530003333973101310414257650565813173",
                "28974977378586334153185605006886505404",
                "136918642051494489778486467500759107040",
                "328159481941225625655491816177627870490",
                "186359140399090271729245150160144907014",
                "307933728407298461961473498693164051109",
                "18570838454356378009077054400105344104",
                "276237006808805615248351817130758371705",
                "300432671829517395228355465263980445269"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2020-15888-0e454c8a",
        "target": {
            "file": "ldo.h"
        },
        "source": "https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "105135762939629227699804883912263599423",
                "247486404441361576507022499946075620572",
                "118496697812361212017269119553004280254",
                "106424969772443140265390255039807120079",
                "37540638878154083333708483624367283972",
                "169294646749318997068984273064754916339",
                "93724494676492250101028184475526945103",
                "319218437690893170572963497387866274074"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2020-15888-1356813b",
        "target": {
            "file": "ltm.c"
        },
        "source": "https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "180637455239788581404342292874638595161",
            "length": 337.0
        },
        "deprecated": false,
        "id": "CVE-2020-15888-2d75f329",
        "target": {
            "function": "luaD_shrinkstack",
            "file": "ldo.c"
        },
        "source": "https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "231483642368277910488853698800913036458",
                "262414955084817609584224181936361745183",
                "49450719460278863998359163241966262560",
                "11043102250839843449606126582202505977",
                "184449424765427880990090857574888028249",
                "201550099967893807412619658723682673252",
                "94801572708305704545442678458010346836",
                "163722850367216824107617962342832113473"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2020-15888-3952a7cf",
        "target": {
            "file": "ldo.c"
        },
        "source": "https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "20768315219636672424456947595552143535",
                "312418570843409483009923973890277641613",
                "253482659380919832210443693850598886815",
                "120018164947122116008547476865049921541"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2020-15888-9f89c533",
        "target": {
            "file": "lvm.c"
        },
        "source": "https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5",
        "signature_type": "Line"
    }
]