CVE-2022-28805

Name of the Vulnerable Software and Affected Versions Lua versions 5.4.0 through 5.4.4

Description The issue is related to a heap-based buffer over-read in the singlevar function in lparser.c of Lua. This might affect systems that compile untrusted Lua code, potentially allowing a remote attacker to execute arbitrary code. The problem is caused by a missing luaK exp2anyregup call.

Recommendations For Lua versions 5.4.0 through 5.4.3, update to version 5.4.4 or later to resolve the issue. For Lua version 5.4.4, although it is mentioned as part of the vulnerable range, the exact fix version is not explicitly stated, but it is implied that updating beyond this version would mitigate the risk. At the moment, there is no information about additional mitigation measures for this specific vulnerability.