CVE-2020-24370

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions Lua version 5.4.0

Description The issue is related to an integer overflow in the ldebug.c component of the Lua script interpreter. This can be exploited by a remote attacker to cause a denial of service. The vulnerability is demonstrated by the getlocal(3,2^31) function call, which can lead to a negation overflow and segmentation fault in getlocal and setlocal functions.

Recommendations For Lua version 5.4.0, consider disabling the getlocal and setlocal functions in the ldebug.c component as a temporary workaround until a patch is available. Restrict access to these functions to minimize the risk of exploitation. Avoid using the getlocal function with large input values, such as 2^31, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Integer Underflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-191

Related Identifiers

ALSA-2021:4510

ALT-PU-2025-10165

AZL-41149

BDU:2021-03735

BIT-LUA-2020-24370

CESA-2021_4510

CVE-2020-24370

DLA-2381-1

DLA-3469-1

MGASA-2020-0362

OESA-2024-2169

OESA-2025-1278

OESA-2025-1279

OESA-2025-1280

OESA-2025-1281

OESA-2025-1301

OPENSUSE-SU-2021:0962-1

OPENSUSE-SU-2021:2196-1

OPENSUSE-SU-2021_0962-1

OPENSUSE-SU-2021_2196-1

OPENSUSE-SU-2024:11028-1

OPENSUSE-SU-2024:11029-1

OPENSUSE-SU-2025:15401-1

RHSA-2021:4510

RHSA-2021_4510

RLSA-2021:4510

SUSE-SU-2021:2196-1

SUSE-SU-2021_2196-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Lua

Red Hat

Red Os

Rocky Linux

Suse

CVE-2020-24370

Weakness Enumeration

Related Identifiers

Affected Products

References · 71