Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Stack-based buffer overflow vulnerability in Samsung Open Source rlottie allows Overflow Buffers.
This issue affects rlottie: before ce72b35a7ad0dded03051d3aa0ef75321c3bd035.
AnalysisAI
Stack-based buffer overflow in Samsung Open Source rlottie's FreeType-derived cubic Bezier rasterizer allows a local attacker, via a crafted Lottie animation file, to crash the embedding application or potentially corrupt stack memory. The vulnerable code in gray_render_cubic (src/vector/freetype/v_ft_raster.cpp) subdivides Bezier curves onto a fixed-size bez_stack (capacity 32×3+1 vectors) without a depth guard, so a pathologically complex curve exhausts the buffer. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Technical ContextAI
rlottie is a Samsung Open Source C++ library that renders Lottie animation files (JSON-based vector graphics) and is embedded in Samsung TV OS and numerous third-party applications. The vulnerable component (src/vector/freetype/v_ft_raster.cpp) is adapted from the FreeType font rasterizer and implements Bezier curve subdivision using a fixed-size stack array bez_stack (capacity: 32×3+1 SW_FT_Vector entries). The gray_render_cubic function recursively subdivides cubic Bezier curves into this array; without bounds validation, a curve requiring more than 31 subdivision levels writes past the end of the stack buffer. The upstream fix (PR #582) inserts the guard if (arc - ras.bez_stack >= 31 * 3) return; before each subdivision step. CWE-121 (Stack-based Buffer Overflow) identifies the root cause class. CPE cpe:2.3:a:samsung_open_source:rlottie:*:*:*:*:*:*:*:* confirms all versions prior to the fix commit are affected.
RemediationAI
Update the rlottie dependency to a version incorporating commit ce72b35a7ad0dded03051d3aa0ef75321c3bd035 or later, which adds the bounds check if (arc - ras.bez_stack >= 31 * 3) return; in gray_render_cubic. The fix is available via GitHub PR #582 (https://github.com/Samsung/rlottie/pull/582); a formally tagged release version incorporating this commit is not independently confirmed from the available data - downstream maintainers should cherry-pick the commit into their vendored copy or track the upstream repository for a tagged release. As a compensating control where patching is not immediately possible, applications accepting Lottie files from untrusted sources should run the rlottie renderer in an isolated sandboxed process (e.g., a seccomp-restricted worker or separate container), so that a triggered overflow results in a contained subprocess crash rather than compromising the parent application. Additionally, input validation at the application boundary to reject abnormally large or deeply nested Lottie JSON structures can reduce the attack surface, though this requires application-specific tuning.
Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att
Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary
Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un
Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat
Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7
The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart
The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long
The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v
Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary
Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34237
GHSA-r436-q6wh-rcxr