Description
An issue from the component luaG_runerror in dependencies/lua/src/ldebug.c in praydog/REFramework version before 1.5.5 leads to a heap-buffer overflow when a recursive error occurs.
Published: 2026-01-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

This vulnerability involves a heap‑buffer overflow in the luaG_runerror function of the Lua debugging component (ldebug.c) used by praydog/REFramework before version 1.5.5. The overflow arises when a recursive error condition triggers, allowing an attacker to overwrite adjacent heap memory. This constitutes a memory‑corruption flaw (CWE‑787) that can lead to a crash, denial of service, or potentially arbitrary code execution if the attacker can influence the data written.

Affected Systems

The vulnerable component is part of praydog's REFramework. Any deployment of REFramework with a version earlier than 1.5.5 is affected. Versions 1.5.5 and later incorporate a fix that prevents the overflow.

Risk and Exploitability

The CVSS score of 6.9 signals a medium‑to‑high impact, while an EPSS score of less than 1% indicates a very low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Because the overflow is triggered by a recursive error, the likely attack vector is within contexts where REFramework processes scripts or input that can provoke such an error. This inference is based on the description; no explicit attack scenario is provided in the data.

Generated by OpenCVE AI on April 18, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade REFramework to version 1.5.5 or later; this patch removes the luaG_runerror overflow.
  • Configure REFramework to limit recursive error handling by setting a maximum error depth or disabling nested error callbacks; this mitigates the condition that triggers the overflow.
  • If an upgrade is not immediately possible, audit Lua integration points and apply bounds checking to the stack used by luaG_runerror, or apply a local patch that enforces heap bounds during error processing.

Generated by OpenCVE AI on April 18, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Praydog
Praydog reframework
Vendors & Products Praydog
Praydog reframework

Tue, 27 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description An issue from the component luaG_runerror in dependencies/lua/src/ldebug.c in praydog/REFramework version before 1.5.5 leads to a heap-buffer overflow when a recursive error occurs.
Title Save stack space while handling errors in praydog/REFramework
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/S:N/AU:Y/V:D/RE:M/U:Amber'}

Subscriptions

Praydog Reframework
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T20:44:12.229Z

Reserved: 2026-01-27T08:39:10.281Z

Link: CVE-2026-24809

cve-icon Vulnrichment

Updated: 2026-01-27T20:44:08.055Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:51.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses