{"id":"CVE-2022-28805","details":"singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.","aliases":["BIT-lua-2022-28805"],"modified":"2026-05-19T12:03:09.410699141Z","published":"2022-04-08T00:00:00Z","related":["ALSA-2023:2582","CGA-j55v-2chm-rh2g"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/28xxx/CVE-2022-28805.json","cna_assigner":"mitre"},"references":[{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-02/msg00001.html"},{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-02/msg00070.html"},{"type":"WEB","url":"https://lua-users.org/lists/lua-l/2022-04/msg00009.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/28xxx/CVE-2022-28805.json"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJNJ66IFDUKWJJZXHGOLRGIA3HWWC36R/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHYZOEFDVLVAD6EEP4CDW6DNONIVVHPA/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28805"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202305-23"},{"type":"FIX","url":"https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lua/lua","events":[{"introduced":"c33b1728aeb7dfeec4013562660e07d32697aa6b"},{"fixed":"e15f1f2bb7a38a3c94519294d031e48508d65006"},{"fixed":"1f3c6f4534c6411313361697d98d1145a1f030fa"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:lua:lua:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"5.4.0"},{"fixed":"5.4.5"}]}}],"versions":["v5.4.4","v5.4.3","v5.4.2","v5.4.1","v5.4.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-28805.json"}}],"schema_version":"1.7.5"}