CVE-2021-45985: 
vulnerability analysis and mitigation

CVE-2021-45985 affects Lua version 5.4.3, where an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. The vulnerability was discovered in December 2021 and has been assigned a CVSS v3.1 base score of 7.5 (High) (NVD).

The vulnerability occurs when a finalizer is called during the luaDpretailcall function execution. The issue arises because ci→u.l.savedpc is set as the program counter (pc) of function g() before calling luaDpretailcall, but ci_func(ci)→p refers to function f() after copying. This mismatch leads to returning a relative distance between two different functions instead of from the same function, ultimately causing a heap buffer overflow (Lua Users).

When exploited, this vulnerability can lead to a heap-based buffer over-read condition. The issue has been assigned a high severity rating with a CVSS score of 7.5, indicating significant potential impact on system availability (NVD).

The issue has been fixed in Lua version 5.4.4 through a patch that addresses the stack handling during tail calls. The fix is available in the commit cf613cdc6fa367257fc61c256f63d917350858b5 (Lua Commit). Users are recommended to upgrade to the patched version.