{"id":"CVE-2020-24371","details":"lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.","aliases":["BIT-lua-2020-24371"],"modified":"2026-04-11T11:23:19.672560Z","published":"2020-08-17T17:15:13.927Z","related":["SUSE-SU-2021:2196-1","openSUSE-SU-2021:0962-1","openSUSE-SU-2021:2196-1","openSUSE-SU-2024:11028-1","openSUSE-SU-2024:11029-1","openSUSE-SU-2025:15401-1"],"references":[{"type":"FIX","url":"https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110"},{"type":"FIX","url":"https://www.lua.org/bugs.html#5.4.0-10"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lua/lua","events":[{"introduced":"0"},{"last_affected":"c33b1728aeb7dfeec4013562660e07d32697aa6b"},{"fixed":"a6da1472c0c5e05ff249325f979531ad51533110"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.4.0-NA"}]}}],"versions":["v1.2","v2.1","v2.2","v2.3-beta","v2.4","v2.4-beta","v2.5","v2.5-beta","v2.5.1","v3.0","v3.0-alpha","v3.1","v3.1-alpha","v3.2","v3.2-beta","v4.0","v4.0-alpha","v4.0-beta","v4.1-alpha","v5.0","v5.0-alpha","v5.0-beta","v5.1","v5.1-alpha","v5.1-beta","v5.1.1","v5.2-alpha","v5.2-beta","v5.2.0","v5.2.1","v5.2.2","v5.3-alpha","v5.3-beta","v5.3.0","v5.3.1","v5.3.2","v5.3.3","v5.3.4","v5.4-alpha","v5.4-beta","v5.4-w2","v5.4.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T11:23:19Z","vanir_signatures":[{"deprecated":false,"signature_version":"v1","id":"CVE-2020-24371-3ad77f13","target":{"file":"lgc.c","function":"remarkupvals"},"signature_type":"Function","digest":{"function_hash":"230888440196023068660042484403295836192","length":491},"source":"https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110"},{"deprecated":false,"signature_version":"v1","id":"CVE-2020-24371-717ce452","target":{"file":"lgc.c","function":"atomic2gen"},"signature_type":"Function","digest":{"function_hash":"148649635605489108398390794752528839496","length":463},"source":"https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110"},{"deprecated":false,"signature_version":"v1","id":"CVE-2020-24371-b816129f","target":{"file":"lgc.c","function":"luaC_barrier_"},"signature_type":"Function","digest":{"function_hash":"73126039911420152274233437857816255771","length":438},"source":"https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110"},{"deprecated":false,"signature_version":"v1","id":"CVE-2020-24371-ed9eccc8","target":{"file":"lgc.c","function":"youngcollection"},"signature_type":"Function","digest":{"function_hash":"62293687244825559462354794285034139876","length":820},"source":"https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110"},{"deprecated":false,"signature_version":"v1","id":"CVE-2020-24371-f2e531cd","target":{"file":"lgc.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["247043816592523228306167864313656777148","128022539470724253876190143736616008833","277784156431681346734209104841665649763","293610384820954965735016816188173325444","180122197416099943960443147549862980667","146946380213547060947882303726874734793","117165732476182395299500896645280365288","188730725681045488505131978435297376627","269972676927384416685274953499422962496","218390374446829489799854226723855946150","63801094826520712061319164997725480474","12340125685636578054225060909693252412","263165008466768107267534801681210705820","324223054354298017487335419729354385561","281694410998367628274707905667833317721","90661529539236227515015123442963964233","331768705513796519620639853311959911390","61153750338018608563606415716016360437","316178962228218637641645618391086218149","29169271078618445766426752526479696958","274141475334442822849514259158662979723","315602760525419211381069342473058358726","124356748170853152830734215933560967725","298493242176478445102444444559732226850","42742995477068854504560106584943118884","332334190360064138671157402824931776680","79662100093156639030414633139045847225","42949527436635597150540362450550434437","194541665703311230294064044909546994559","4436196464461007259879259789700659912","62075780827700133745497836683468249733","86267174718487447218983876365871746188","62160341757005522749984961342269236912","182797068030575012903286821449990934710","337715759172909069055848498856358582938","288235394316488958967272638655547118720","34516602568621660371087614665292278998","299813941888886661147148464353338899467"]},"source":"https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24371.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}