{"id":"CVE-2020-15889","details":"Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.","aliases":["BIT-lua-2020-15889"],"modified":"2026-04-11T21:20:02.470776Z","published":"2020-07-21T22:15:12.150Z","references":[{"type":"ADVISORY","url":"http://lua-users.org/lists/lua-l/2020-12/msg00157.html"},{"type":"FIX","url":"https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312"},{"type":"EVIDENCE","url":"http://lua-users.org/lists/lua-l/2020-07/msg00078.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lua/lua","events":[{"introduced":"0"},{"last_affected":"c33b1728aeb7dfeec4013562660e07d32697aa6b"},{"fixed":"127e7a6c8942b362aa3c6627f44d660a4fb75312"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.4.0"}]}}],"versions":["v1.2","v2.1","v2.2","v2.3-beta","v2.4","v2.4-beta","v2.5","v2.5-beta","v2.5.1","v3.0","v3.0-alpha","v3.1","v3.1-alpha","v3.2","v3.2-beta","v4.0","v4.0-alpha","v4.0-beta","v4.1-alpha","v5.0","v5.0-alpha","v5.0-beta","v5.1","v5.1-alpha","v5.1-beta","v5.1.1","v5.2-alpha","v5.2-beta","v5.2.0","v5.2.1","v5.2.2","v5.3-alpha","v5.3-beta","v5.3.0","v5.3.1","v5.3.2","v5.3.3","v5.3.4","v5.4-alpha","v5.4-beta","v5.4-w2","v5.4.0"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["33806952625595217983272738707404348225","54845178931446360748967184937984859969","12660585324071077448513951454168378358","178375425586030612822274894787116549398","69646801792118292822006701814980344525","198212268633878255442099821443487555623","281006230464054444442865744331568088035"]},"deprecated":false,"target":{"file":"lgc.c"},"signature_version":"v1","id":"CVE-2020-15889-ce83878b","source":"https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312","signature_type":"Line"},{"digest":{"length":823,"function_hash":"176391760155847415929674594339149499199"},"deprecated":false,"target":{"file":"lgc.c","function":"youngcollection"},"signature_version":"v1","id":"CVE-2020-15889-de75bad6","source":"https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312","signature_type":"Function"}],"vanir_signatures_modified":"2026-04-11T21:20:02Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15889.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}