CVE-2021-45985

Description

In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.

How to fix CVE-2021-45985

To remediate CVE-2021-45985, upgrade the affected package to a fixed version below.

• Bitnami/lua—upgrade to 5.4.4 or later
• Debian/lua5.4—no fix listed

Is CVE-2021-45985 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 5.4.0, < 5.4.4
• from 0

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-45985
• WEBlua-users.org/lists/lua-l/2021-12/msg00019.html
• WEBgithub.com/lua/lua/commit/cf613cdc6fa367257fc61c256f63d917350858b5
• WEBnvd.nist.gov/vuln/detail/CVE-2021-45985
• WEB