Description
Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads.

This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945.
Published: 2026-06-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uncontrolled recursion occurs when rlottie parses serialized data that can trigger an unbounded call stack. This flaw can exhaust memory or crash the process, resulting in a denial of service. The vulnerability reflects CWE-674: Uncontrolled Recursion, and it does not convey an information disclosure or arbitrary code execution vector as described.

Affected Systems

The flaw affects the Samsung Open Source rlottie library in all releases prior to commit e2d19e3b150e0e4a9586fa90b56fd3061cc98945. Any software that incorporates this version of rlottie is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.1 classifies the risk as medium. EPSS data is unavailable, and the vulnerability is not listed in CISA KEV, indicating no confirmed public exploitation yet. The likely attack vector is through supplying oversized or malicious serialized payloads to the library, which may be feasible if the host application accepts external data without proper size checks.

Generated by OpenCVE AI on June 4, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update rlottie to a version after commit e2d19e3b150e0e4a9586fa90b56fd3061cc98945
  • Identify all applications that embed the vulnerable rlottie library and confirm the installed version; any application still using the older commit should be marked for immediate update to mitigate the denial‑of‑service risk
  • If an immediate update is not feasible, restrict the size of serialized data passed to rlottie by implementing a size limit or input validation in the host application to reduce the recursion attack surface

Generated by OpenCVE AI on June 4, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Open Source
Samsung Open Source rlottie
Vendors & Products Samsung Open Source
Samsung Open Source rlottie

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Uncontrolled Recursion Leading to Oversized Serialized Data Payloads in rlottie

Thu, 04 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads. This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945.
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Samsung Open Source Rlottie
cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-06-08T00:31:38.938Z

Reserved: 2026-05-19T02:40:40.158Z

Link: CVE-2026-47306

cve-icon Vulnrichment

Updated: 2026-06-04T12:15:29.301Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T10:16:38.927

Modified: 2026-06-04T15:27:23.470

Link: CVE-2026-47306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:27Z

Weaknesses