Description
Out-of-bounds write vulnerability in Samsung Open Source rlottie allows Overflow Buffers.

This issue affects rlottie: before dcfde72eae1b0464dc0dd760aec00ada6a148635.
Published: 2026-06-04
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Samsung Open Source rlottie contains an out‑of‑bounds write that allows an attacker to overflow internal buffers. This flaw can corrupt memory used by the library, potentially leading to application crashes or providing a path to arbitrary code execution. The vulnerability is a classic example of CWE‑787 and is present in all versions prior to the last fixed revision.

Affected Systems

Affects the Samsung Open Source rlottie rendering library. All releases before commit dcfde72eae1b0464dc0dd760aec00ada6a148635 are vulnerable. Users of older builds that process Lottie animation files should be aware of this risk.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, suggesting that exploitation evidence is not currently known. The attack vector is inferred to be the processing of malicious Lottie files by any application that links to rlottie, which could be local or remote depending on the context. Because the flaw causes a buffer overflow, a successful exploitation could lead to denial of service or, in the presence of additional control‑flow hijacking techniques, arbitrary code execution.

Generated by OpenCVE AI on June 4, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update rlottie to the fixed commit dcfde72eae1b0464dc0dd760aec00ada6a148635 or newer, or apply the changes from GitHub pull request #589
  • If an update is not immediately possible, restrict the use of untrusted Lottie files to a sandboxed environment and perform size checks before passing data to rlottie
  • Implement additional bounds checking and input validation in the code that feeds data into rlottie, ensuring that no write can exceed allocated buffer limits

Generated by OpenCVE AI on June 4, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Write Exploits Buffer Overflow in Samsung rlottie

Thu, 04 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Out-of-bounds write vulnerability in Samsung Open Source rlottie allows Overflow Buffers. This issue affects rlottie: before dcfde72eae1b0464dc0dd760aec00ada6a148635.
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-06-04T09:44:26.603Z

Reserved: 2026-05-19T05:50:17.177Z

Link: CVE-2026-8916

cve-icon Vulnrichment

Updated: 2026-06-04T12:08:50.342Z

cve-icon NVD

Status : Received

Published: 2026-06-04T10:16:40.363

Modified: 2026-06-04T10:16:40.363

Link: CVE-2026-8916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T11:30:12Z

Weaknesses