Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Out-of-bounds write vulnerability in Samsung Open Source rlottie allows Overflow Buffers.
This issue affects rlottie: before dcfde72eae1b0464dc0dd760aec00ada6a148635.
AnalysisAI
Out-of-bounds write in Samsung's rlottie animation rendering library allows a crafted Lottie animation file to trigger integer truncation in the embedded FreeType rasterizer, causing memory corruption. All rlottie versions before commit dcfde72eae1b0464dc0dd760aec00ada6a148635 are affected, spanning any downstream product or platform embedding this library (including Samsung TV and appliance firmware). Exploitation requires local access and user interaction to render a malicious animation, with primary impact being high availability loss (crash/DoS) and limited integrity impact; no public exploit identified at time of analysis and no active exploitation confirmed.
Technical ContextAI
rlottie (CPE: cpe:2.3:a:samsung_open_source:rlottie:*:*:*:*:*:*:*:*) is a Samsung Open Source C++ library for rendering Lottie JSON-based vector animations, embedded in Samsung TV and appliance firmware among other products. The vulnerability (CWE-787: Out-of-bounds Write) resides in the FreeType rasterizer component across three files: v_ft_raster.h, v_ft_stroker.cpp, and vraster.cpp. The root cause is integer width mismatch: fields n_contours and n_points, and the contours pointer array, were typed as short (SW_FT_Short, 16-bit signed, max 32,767). When processing complex Lottie animations whose contour or point counts exceed this limit, the values are silently truncated, causing incorrect pointer arithmetic in ft_stroke_border_export() and out-of-bounds writes into the outline buffer. The PR diff confirms the fix is a straightforward type widening: short/SW_FT_Short → int/SW_FT_Int across all relevant fields and casts, eliminating the truncation path.
RemediationAI
Upgrade to the rlottie build containing commit dcfde72eae1b0464dc0dd760aec00ada6a148635, available via the upstream fix at https://github.com/Samsung/rlottie/pull/589. Note that no independently confirmed tagged release version is associated with this fix - the patch exists as a merged PR/commit, and a specific release version has not been confirmed in the available data. Downstream consumers of rlottie (e.g., Samsung TV/appliance firmware) should verify their vendor's advisory for a packaged fix version. As a compensating control where patching is not immediately possible, restrict the processing of untrusted or externally-sourced Lottie animation files within affected applications; this eliminates the attacker-controlled input path required to trigger the integer truncation. If rlottie is used in a sandboxed rendering process, ensuring that sandbox isolation is properly configured limits the blast radius of a successful crash to the sandbox context rather than the host application.
Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att
Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary
Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un
Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat
Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7
The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart
The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long
The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v
Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary
Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34238
GHSA-598h-r4p3-q3wf