Description
Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads.

This issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3.
Published: 2026-06-04
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Samsung’s open‑source rlottie library involves access of an uninitialized pointer and uncontrolled recursion triggered by oversized serialized data payloads. These flaws can cause the rendering engine to crash or consume excessive stack resources, resulting in service interruption or denial of service for the host application.

Affected Systems

Samsung rlottie, any application incorporating the library, is affected for all releases before the commit eae37633fda13ac05b25c6c95aacea4bc33c80a3. Applications maintaining older versions should verify their installed commit hash and consider upgrading to a newer release.

Risk and Exploitability

With a CVSS score of 6.1, the vulnerability represents a moderate threat. No EPSS score is available, and the issue is not listed in CISA KEV, indicating no confirmed exploits to date. The likely attack vector is the delivery of a malicious Lottie file to a vulnerable application, which could trigger the uninitialized pointer use and uncontrolled recursion, leading to a crash. Though exploitation is plausible, the lack of known attacks and the moderate severity suggest careful monitoring and patching as the preferred mitigation path.

Generated by OpenCVE AI on June 4, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rlottie to a release based on or after commit eae37633fda13ac05b25c6c95aacea4bc33c80a3
  • If an upgrade is not immediately possible, implement input validation to reject Lottie files whose payload exceeds a safe size threshold
  • Restrict or disable Lottie file processing in environments where it is not essential, reducing the attack surface

Generated by OpenCVE AI on June 4, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Uninitialized Pointer Access and Uncontrolled Recursion in Samsung rlottie

Thu, 04 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads. This issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3.
Weaknesses CWE-674
CWE-824
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-06-04T09:38:27.208Z

Reserved: 2026-05-19T05:50:23.979Z

Link: CVE-2026-47320

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T10:16:39.323

Modified: 2026-06-04T10:16:39.323

Link: CVE-2026-47320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T12:00:12Z

Weaknesses