CVE-2020-15945

low-risk

Published 2020-07-24

Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.

Do I need to act?

0.16% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Lua

Affected Vendors

Lua

References (5)

Exploit http://lua-users.org/lists/lua-l/2020-07/msg00123.html

Patch https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3

https://www.lua.org/bugs.html#5.4.0-8

Exploit http://lua-users.org/lists/lua-l/2020-07/msg00123.html

Patch https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal