Description
Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads.

This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945.
Published: 2026-06-04
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uncontrolled recursion occurs when rlottie parses serialized data that can trigger an unbounded call stack. This flaw can exhaust memory or crash the process, resulting in a denial of service. The vulnerability reflects CWE-674: Uncontrolled Recursion, and it does not convey an information disclosure or arbitrary code execution vector as described.

Affected Systems

The flaw affects the Samsung Open Source rlottie library in all releases prior to commit e2d19e3b150e0e4a9586fa90b56fd3061cc98945. Any software that incorporates this version of rlottie is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.1 classifies the risk as medium. EPSS data is unavailable, and the vulnerability is not listed in CISA KEV, indicating no confirmed public exploitation yet. The likely attack vector is through supplying oversized or malicious serialized payloads to the library, which may be feasible if the host application accepts external data without proper size checks.

Generated by OpenCVE AI on June 4, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update rlottie to a version after commit e2d19e3b150e0e4a9586fa90b56fd3061cc98945
  • Identify all applications that embed the vulnerable rlottie library and confirm the installed version; any application still using the older commit should be marked for immediate update to mitigate the denial‑of‑service risk
  • If an immediate update is not feasible, restrict the size of serialized data passed to rlottie by implementing a size limit or input validation in the host application to reduce the recursion attack surface

Generated by OpenCVE AI on June 4, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Uncontrolled Recursion Leading to Oversized Serialized Data Payloads in rlottie

Thu, 04 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads. This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945.
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-06-04T09:43:14.593Z

Reserved: 2026-05-19T02:40:40.158Z

Link: CVE-2026-47306

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T10:16:38.927

Modified: 2026-06-04T10:16:38.927

Link: CVE-2026-47306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T12:00:12Z

Weaknesses