Use After Free Vulnerability in Lua Interpreter Affecting Specific Versions
CVE-2021-44964

6.3MEDIUM

Key Information:

Vendor

Lua

Status
Lua
Vendor
CVE Published:
14 March 2022

What is CVE-2021-44964?

The Lua interpreter versions 5.4.0 to 5.4.3 exhibit a use-after-free vulnerability in the garbage collector and finalizer components. This flaw enables attackers to craft malicious scripts that can exploit this vulnerability, potentially leading to unauthorized access and execution outside the intended sandbox environment. As a result, it is crucial for users and developers relying on these versions of Lua to implement security updates and mitigate risk.

References

http://lua-users.org/lists/lua-l/2021-11/msg00186.html
x_refsource_MISC
http://lua-users.org/lists/lua-l/2021-12/msg00007.html
x_refsource_MISC
http://lua-users.org/lists/lua-l/2021-12/msg00015.html
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.