Skip to main content

rlottie CVE-2026-47318

| EUVDEUVD-2026-34237 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-06-04 samsung.tv_appliance GHSA-r436-q6wh-rcxr
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 04, 2026 - 10:23 vuln.today
Analysis Generated
Jun 04, 2026 - 10:23 vuln.today

DescriptionCVE.org

Stack-based buffer overflow vulnerability in Samsung Open Source rlottie allows Overflow Buffers.

This issue affects rlottie: before ce72b35a7ad0dded03051d3aa0ef75321c3bd035.

AnalysisAI

Stack-based buffer overflow in Samsung Open Source rlottie's FreeType-derived cubic Bezier rasterizer allows a local attacker, via a crafted Lottie animation file, to crash the embedding application or potentially corrupt stack memory. The vulnerable code in gray_render_cubic (src/vector/freetype/v_ft_raster.cpp) subdivides Bezier curves onto a fixed-size bez_stack (capacity 32×3+1 vectors) without a depth guard, so a pathologically complex curve exhausts the buffer. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Technical ContextAI

rlottie is a Samsung Open Source C++ library that renders Lottie animation files (JSON-based vector graphics) and is embedded in Samsung TV OS and numerous third-party applications. The vulnerable component (src/vector/freetype/v_ft_raster.cpp) is adapted from the FreeType font rasterizer and implements Bezier curve subdivision using a fixed-size stack array bez_stack (capacity: 32×3+1 SW_FT_Vector entries). The gray_render_cubic function recursively subdivides cubic Bezier curves into this array; without bounds validation, a curve requiring more than 31 subdivision levels writes past the end of the stack buffer. The upstream fix (PR #582) inserts the guard if (arc - ras.bez_stack >= 31 * 3) return; before each subdivision step. CWE-121 (Stack-based Buffer Overflow) identifies the root cause class. CPE cpe:2.3:a:samsung_open_source:rlottie:*:*:*:*:*:*:*:* confirms all versions prior to the fix commit are affected.

RemediationAI

Update the rlottie dependency to a version incorporating commit ce72b35a7ad0dded03051d3aa0ef75321c3bd035 or later, which adds the bounds check if (arc - ras.bez_stack >= 31 * 3) return; in gray_render_cubic. The fix is available via GitHub PR #582 (https://github.com/Samsung/rlottie/pull/582); a formally tagged release version incorporating this commit is not independently confirmed from the available data - downstream maintainers should cherry-pick the commit into their vendored copy or track the upstream repository for a tagged release. As a compensating control where patching is not immediately possible, applications accepting Lottie files from untrusted sources should run the rlottie renderer in an isolated sandboxed process (e.g., a seccomp-restricted worker or separate container), so that a triggered overflow results in a contained subprocess crash rather than compromising the parent application. Additionally, input validation at the application boundary to reject abnormally large or deeply nested Lottie JSON structures can reduce the attack surface, though this requires application-specific tuning.

CVE-2024-7399 HIGH POC
8.8 Aug 12

Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att

CVE-2025-4632 CRITICAL POC
9.8 May 13

Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary

CVE-2012-4333 CRITICAL POC
10.0 Aug 14

Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0

CVE-2017-16524 HIGH POC
8.8 Nov 06

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u

CVE-2015-8279 HIGH POC
8.6 Jan 15

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un

CVE-2017-17692 HIGH POC
7.5 Dec 21

Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat

CVE-2012-6429 CRITICAL POC
10.0 Apr 04

Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7

CVE-2012-4329 HIGH POC
7.8 Aug 14

The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart

CVE-2012-4330 HIGH POC
7.8 Aug 14

The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long

CVE-2012-4334 CRITICAL POC
10.0 Aug 14

The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v

CVE-2015-5473 CRITICAL
9.8 Jun 01

Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary

CVE-2012-4250 CRITICAL POC
9.3 Aug 13

Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls

Share

CVE-2026-47318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy