An integer overflow or wraparound flaw exists in the Samsung Open Source rlottie library that allows attackers to perform integer attacks. This weakness can lead to erroneous calculations during animation rendering, which may result in incorrect memory allocation, buffer overrun or other anomalous behavior that can compromise application integrity or availability. The vulnerability is designated as a classic integer error (CWE-190).

The flaw is present in all releases of Samsung Open Source rlottie before commit 21292665023e5074b38254432716866d00f1985f. Any product or application that incorporates an older version of this library, including downstream consumer applications or custom software, supplies the vulnerable component. Specific downstream users are not listed beyond the main project, but any reuse of this open‑source component in custom or commercial code is at risk.

The CVSS score of 6.1 classifies this as a medium‑severity issue. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known active exploitation campaigns. Exploitation would likely involve supplying a maliciously crafted Lottie file to an application that parses it with the vulnerable library. Because the flaw manifests during integer arithmetic in parsing, an attacker with access to such input could potentially cause a denial of service or, depending on memory handling, facilitate further exploitation. The primary attack vector is application‑level input, and the vulnerability requires the target to load a manipulated animation file.