MEDIUM 6.1

CVE-2026-47318: Stack Buffer Overflow in Samsung rlottie Animation Library

A stack-based buffer overflow has been found in Samsung's rlottie library, an open-source animation rendering engine. When processing untrusted animation files, the library can write data beyond its allocated memory on the stack, potentially causing the application to crash or allowing limited data manipulation. The vulnerability requires a user to open a malicious animation file; it cannot be exploited remotely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Stack-based buffer overflow vulnerability in Samsung Open Source rlottie allows Overflow Buffers. This issue affects rlottie: before ce72b35a7ad0dded03051d3aa0ef75321c3bd035.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47318 is a stack-based buffer overflow (CWE-121) in the rlottie animation library prior to commit ce72b35a7ad0dded03051d3aa0ef75321c3bd035. The overflow occurs during buffer processing, likely within animation frame parsing or rendering logic. The CVSS 3.1 score of 6.1 (MEDIUM severity) reflects local attack surface (AV:L), low complexity, no privilege requirement, and user interaction needed. The impact is high availability (A:H) but limited confidentiality and integrity (C:N, I:L), indicating denial-of-service risk with minimal information disclosure potential.

Business impact

Applications integrating rlottie for animation rendering—including design tools, media players, and UI frameworks—face availability risk. A user opening a specially crafted animation file can trigger an application crash, disrupting workflows. For production systems consuming untrusted animation content without validation, this creates operational exposure. The impact is typically localized to individual sessions rather than system-wide compromise, but repeated crashes may affect service reliability and user experience.

Affected systems

Any application or library that embeds Samsung's rlottie before the patched commit is affected. This includes open-source projects, commercial software, and embedded systems that render Lottie animations (JSON-based animation format). The vulnerability affects all platform builds—Linux, Windows, macOS, Android, iOS—since the flaw resides in core animation parsing code. Developers should verify whether their dependencies or vendored code includes vulnerable rlottie versions.

Exploitability

Exploitation requires user interaction: opening or importing a malicious animation file. There is no remote network attack vector. Attack complexity is low—crafting a malicious Lottie JSON file is straightforward—but weaponization is limited to denial-of-service. The vulnerability does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no in-the-wild exploitation has been documented at publication. Nonetheless, the public nature of the library means proof-of-concept development is feasible.

Remediation

Update rlottie to a version at or after commit ce72b35a7ad0dded03051d3aa0ef75321c3bd035. For projects using rlottie as a git submodule or direct source dependency, pull the latest upstream. For packaged dependencies, update via package manager once patched versions are released. Interim mitigation includes restricting animation file sources to trusted origins and implementing file format validation before passing to rlottie.

Patch guidance

Verify the exact patched version or commit available for your platform via the Samsung rlottie GitHub repository. Patch availability timing varies by downstream package maintainers—check your OS repository or direct integration point. Test thoroughly after patching to ensure animation functionality remains intact. If your application vendors rlottie code, prioritize updating that source to or beyond the fixed commit.

Detection guidance

Monitor application crash logs and core dumps for stack overflow signatures, particularly during animation file processing. Use static analysis (SAST) tools to identify rlottie usage in your codebase and verify versions. Dynamic testing: feed malformed or oversized Lottie JSON files to animation-processing code paths and observe for segmentation faults. Memory sanitizers (AddressSanitizer, Valgrind) applied to rlottie-using binaries will flag the overflow during testing.

Why prioritize this

MEDIUM severity warrants prompt but not emergency patching. The local attack vector and user interaction requirement significantly constrain real-world risk. However, if your application processes animation files from untrusted sources (user uploads, third-party APIs), or if availability is business-critical, advance this toward higher priority. Applications with minimal animation functionality or strict input control can defer safely, but should still schedule remediation within 2–4 weeks.

Risk score, explained

CVSS 3.1 score of 6.1 reflects the combination of low attack surface (local only, user interaction required) and modest impact scope (no confidentiality loss, limited integrity impact). The high availability impact (crash potential) justifies the MEDIUM rating rather than LOW. The score does not account for compensating controls—if your deployment already restricts animation sources or runs rlottie in sandboxed processes, actual risk is lower.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. The attack vector is local and requires user interaction. An attacker cannot exploit this over the network. The overflow results in a crash (denial-of-service) rather than code execution.

Which versions of rlottie are affected?

All versions prior to commit ce72b35a7ad0dded03051d3aa0ef75321c3bd035 are affected. Consult the Samsung rlottie GitHub repository to determine the version number corresponding to this commit and verify your installed version.

Can I mitigate this without patching immediately?

Temporarily, yes. Restrict animation file sources to known-safe, trusted origins. Avoid processing animation files from untrusted users or external APIs. However, patching is the proper fix and should be scheduled within 2–4 weeks.

How do I check if my application uses the vulnerable rlottie code?

Search your dependency manifests (package.json, requirements.txt, Cargo.toml, etc.) and vendored code directories for rlottie. Use your package manager to determine the installed version, then cross-reference against the patched commit on the GitHub repository.

This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores and KEV status reflect official sources; always verify against the latest CVE record and vendor advisories before making patching decisions. No exploit code or detailed attack instructions are provided. Organizations should conduct their own risk assessment considering their specific deployment context, data sensitivity, and exposure to untrusted animation sources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).