CVE-2026-24809
Unknown Unknown - Not Provided
Heap-Buffer Overflow in praydog REFramework luaG_runerror Component

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
An issue from the component luaG_runerror in dependencies/lua/src/ldebug.c in praydog/REFramework version before 1.5.5 leads to a heap-buffer overflow when a recursive error occurs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24809
EUVD
EUVD-2026-4761
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praydog reframework to 1.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap-buffer overflow in the luaG_runerror function within the REFramework project before version 1.5.5. It occurs when a recursive error happens, causing improper error handling that leads to memory corruption. The issue stems from the luaG_runerror function not having received a critical security patch that was applied in the official Lua repository, which allowed excessive stack space usage and related security problems. This flaw was fixed by applying the official Lua patch to REFramework's codebase. [1]

Impact Analysis

This heap-buffer overflow vulnerability can lead to memory corruption, which may be exploited to cause crashes or potentially execute arbitrary code. Such impacts can compromise the stability and security of applications using the affected REFramework versions, possibly leading to denial of service or unauthorized actions within the affected environment. [1]

Mitigation Strategies

To mitigate this vulnerability, update the praydog/REFramework to version 1.5.5 or later, which includes the security fix for the luaG_runerror heap-buffer overflow issue. This fix applies the official Lua patch to the error handling code, preventing the vulnerability without requiring a Lua version upgrade. Applying this update will eliminate the heap-buffer overflow caused by recursive errors. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24809. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart