CVE-2020-15888
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-15888
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15888.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-15888
- Aliases
- Downstream
- Related
- Published
- 2020-07-21T22:15:12.090Z
- Modified
- 2025-11-20T11:18:03.091733Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
- References
-
- http://lua-users.org/lists/lua-l/2020-07/msg00053.html
- http://lua-users.org/lists/lua-l/2020-07/msg00054.html
- http://lua-users.org/lists/lua-l/2020-07/msg00071.html
- http://lua-users.org/lists/lua-l/2020-07/msg00079.html
- https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
- https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5
Affected packages
Git / github.com/lua/lua
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lua/lua
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v1.*
v1.2
v2.*
v2.1
v2.2
v2.3-beta
v2.4
v2.4-beta
v2.5
v2.5-beta
v2.5.1
v3.*
v3.0
v3.0-alpha
v3.1
v3.1-alpha
v3.2
v3.2-beta
v4.*
v4.0
v4.0-alpha
v4.0-beta
v4.1-alpha
v5.*
v5.0
v5.0-alpha
v5.0-beta
v5.1
v5.1-alpha
v5.1-beta
v5.1.1
v5.2-alpha
v5.2-beta
v5.2.0
v5.2.1
v5.2.2
v5.3-alpha
v5.3-beta
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4-alpha
v5.4-beta
v5.4-w2
v5.4.0
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "ldo.h"
},
"digest": {
"line_hashes": [
"130386227620455140858146550303983838314",
"53530003333973101310414257650565813173",
"28974977378586334153185605006886505404",
"136918642051494489778486467500759107040",
"328159481941225625655491816177627870490",
"186359140399090271729245150160144907014",
"307933728407298461961473498693164051109",
"18570838454356378009077054400105344104",
"276237006808805615248351817130758371705",
"300432671829517395228355465263980445269"
],
"threshold": 0.9
},
"source": "https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5",
"signature_version": "v1",
"id": "CVE-2020-15888-0e454c8a"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "ltm.c"
},
"digest": {
"line_hashes": [
"105135762939629227699804883912263599423",
"247486404441361576507022499946075620572",
"118496697812361212017269119553004280254",
"106424969772443140265390255039807120079",
"37540638878154083333708483624367283972",
"169294646749318997068984273064754916339",
"93724494676492250101028184475526945103",
"319218437690893170572963497387866274074"
],
"threshold": 0.9
},
"source": "https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5",
"signature_version": "v1",
"id": "CVE-2020-15888-1356813b"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "ldo.c",
"function": "luaD_shrinkstack"
},
"digest": {
"length": 337.0,
"function_hash": "180637455239788581404342292874638595161"
},
"source": "https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7",
"signature_version": "v1",
"id": "CVE-2020-15888-2d75f329"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "ldo.c"
},
"digest": {
"line_hashes": [
"231483642368277910488853698800913036458",
"262414955084817609584224181936361745183",
"49450719460278863998359163241966262560",
"11043102250839843449606126582202505977",
"184449424765427880990090857574888028249",
"201550099967893807412619658723682673252",
"94801572708305704545442678458010346836",
"163722850367216824107617962342832113473"
],
"threshold": 0.9
},
"source": "https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7",
"signature_version": "v1",
"id": "CVE-2020-15888-3952a7cf"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "ldo.c",
"function": "luaD_call"
},
"digest": {
"length": 1509.0,
"function_hash": "136009506937592626158199070727855004197"
},
"source": "https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5",
"signature_version": "v1",
"id": "CVE-2020-15888-9ee90b41"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "lvm.c"
},
"digest": {
"line_hashes": [
"20768315219636672424456947595552143535",
"312418570843409483009923973890277641613",
"253482659380919832210443693850598886815",
"120018164947122116008547476865049921541"
],
"threshold": 0.9
},
"source": "https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5",
"signature_version": "v1",
"id": "CVE-2020-15888-9f89c533"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "ldo.c"
},
"digest": {
"line_hashes": [
"181058428518885419945385051336608550914",
"284718634292155128971926324015237783507",
"139310162442390529532473601367270833485",
"81694899817825485016720036654728327394",
"173246423704498111617548112127785661166",
"137251093283182934359963738473937614553",
"208988605824088461826622528723897400198",
"212792032198209198573710581675462984276",
"218588777091244943656313248424085997157",
"119249203473659740300875825381350181572",
"232882423076067461982191408261311466150",
"153159102240602125346143502249893248736",
"311307507113412773825105000136913228162",
"106913050874660375707101220966945234547",
"95745715240688782011736222216082295920",
"178858761131312535994492836591177829413",
"95682888830649786446683714102472634757",
"310692158738956708457476409107223903896",
"22829474248029709211548360573790173407",
"303758988373961855927450191357532808913",
"213387659119569565173587322308888252406",
"149044147502592939062351731419273656978",
"279760676122211665967478919224310415336"
],
"threshold": 0.9
},
"source": "https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5",
"signature_version": "v1",
"id": "CVE-2020-15888-e0148d2a"
}
]