{"id":"JLSEC-2026-560","details":"singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.","modified":"2026-05-26T20:00:07.882191947Z","published":"2026-05-26T19:45:06.761Z","upstream":["CVE-2022-28805"],"database_specific":{"sources":[{"database_specific":{"status":"Modified"},"url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-28805","id":"CVE-2022-28805","imported":"2026-05-26T02:05:11.498Z","modified":"2024-11-21T06:57:57.733Z","published":"2022-04-08T06:15:07.243Z","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28805"}],"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa"},{"type":"WEB","url":"https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJNJ66IFDUKWJJZXHGOLRGIA3HWWC36R/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJNJ66IFDUKWJJZXHGOLRGIA3HWWC36R/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHYZOEFDVLVAD6EEP4CDW6DNONIVVHPA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHYZOEFDVLVAD6EEP4CDW6DNONIVVHPA/"},{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-02/msg00001.html"},{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-02/msg00001.html"},{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-02/msg00070.html"},{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-02/msg00070.html"},{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-04/msg00009.html"},{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-04/msg00009.html"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202305-23"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202305-23"}],"affected":[{"package":{"name":"Lua_jll","ecosystem":"Julia","purl":"pkg:julia/Lua_jll?uuid=a4086b1d-a96a-5d6b-8e4f-2030e6f25ba6"},"ranges":[{"type":"SEMVER","events":[{"introduced":"5.4.3+0"},{"fixed":"5.4.6+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-560.json"}}],"schema_version":"1.7.5"}