CVE-2021-45985: Mitre: CVE-2021-45985 Erroneous finalizer call in Lua leads to a heap-based buffer over-read

Overview

Severity

Medium (CVSS 5.5)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Apr

Released

2023-04-14

Last Updated

2025-01-14

EPSS Score

0.26% (percentile: 49.3%)

Description

This CVE was assigned by Mitre. Some Microsoft products consume Lau open-source software. The purpose of this document is to attest to the fact that the products listed in the Security Updates table have been updated to protect against this vulnerability.

FAQ

Why is this GitHub CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Lau open-source software which is consumed by Microsoft Windows. It is being documented in the Security Update Guide to announce that the latest builds of Windows are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. Are there any additional steps that I need to follow to be protected from this vulnerability? The changes to address this vulnerability updated Virtual Secure Mode components. The policy described in Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates has been updated to account for the latest changes. If you deployed this policy, then you'll need to redeploy using the updated policy.

Affected Products (21)

Windows

• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 11 Version 22H2 for ARM64-based Systems
• Windows 11 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows 11 Version 23H2 for ARM64-based Systems
• Windows 11 Version 23H2 for x64-based Systems
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows 11 Version 24H2 for ARM64-based Systems
• Windows 11 Version 24H2 for x64-based Systems
• Windows Server 2025
• Windows Server 2025 (Server Core installation)

Mariner

• CBL Mariner 2.0 x64
• Azure Linux 3.0 x64
• Azure Linux 3.0 ARM
• CBL Mariner 2.0 ARM

Security Updates (5)

• 5044281
• 5044273
• 5044285
• 5044288
• 5050009

Revision History

• 2023-04-14: Information published.
• 2023-04-18: Added memcached to CBL-Mariner 2.0 Added ntopng to CBL-Mariner 2.0
• 2025-01-14: The following updates have been made: 1) Added Windows Software to the Security Updates table. Microsoft recommends updating to the latest version of their Windows operating system. 2) Added an FAQ to describe further actions customers need to take to be protected from this vulnerability.