Debian: luajit Critical Security Update DLA-4283-1 CVE-2019-19391
debian lts
August 25, 2025
Multiple vulnerabilities were found in luajit, a just in time compiler for the Lua programming language, which could lead to denial of service
Topics Covered
Summary
CVE-2019-19391
It was discovered that debug.getinfo() has a type confusion issue
that leads to arbitrary memory write or read operations, because
certain cases involving valid stack levels and `>` options are
mishandled.
NOTE: The LuaJIT project owner disputes the vulnerability and states
that the debug library is unsafe by design.
CVE-2020-15890
Yongheng Chen discovered an out-of-bounds read because `__gc`
handler frame traversal is mishandled.
CVE-2020-24372
Yongheng Chen discovered out-of-bounds read in lj_err_run().
CVE-2024-25176
Kutyavin Maxim discovered a stack-buffer-overflow in
lj_strfmt_wfnum().
CVE-2024-25177
Kutyavin Maxim discovered an unsinking of IR_FSTORE for NULL
metatable.
CVE-2024-25178
Kutyavin Maxim discovered an out-of-bounds read in the
stack-overflow handler.
For Debian 11 bullseye, these problems have been fixed in version
2.1.0~beta3+dfsg-5.3+deb11u1.
We recommend that you upgrade your luajit packages.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: luajit
Version: 2.1.0~beta3+dfsg-5.3+deb11u1
CVE ID: CVE-2019-19391 CVE-2020-15890 CVE-2020-24372 CVE-2024-25176
Debian Bug: 946053 966148
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!