CVE-2026-47319: rlottie Memory Allocation Vulnerability – Denial of Service Risk
A memory allocation flaw in Samsung's rlottie animation rendering library allows an attacker to trigger excessive memory allocation by supplying a specially crafted input with an oversized size value. When a user opens a malicious animation file, the library attempts to allocate far more memory than intended, degrading system performance or causing the application to crash. This is a local attack that requires user interaction—the victim must open or process a hostile animation file.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
- Weaknesses (CWE)
- CWE-789
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Memory allocation with excessive size value vulnerability in Samsung Open Source rlottie allows Excessive Allocation. This issue affects rlottie: before 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47319 is a CWE-789 (Uncontrolled Allocation of Resources with Excessive Size Value) vulnerability in Samsung Open Source rlottie affecting versions prior to commit 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd. The flaw resides in the memory allocation logic, where insufficient validation of size parameters permits an attacker to cause the library to allocate disproportionately large memory blocks. The vulnerability manifests when rlottie processes animation data containing maliciously inflated allocation requests, exhausting heap memory and triggering denial of service conditions. The attack vector is local and requires user interaction (opening a file), but no privileges are needed to trigger the flaw.
Business impact
Organizations deploying applications that embed rlottie (commonly used in media players, design tools, and animation frameworks) face potential service disruption if users are social-engineered into opening hostile animation files. While the vulnerability does not enable data theft or code execution, repeated exploitation can degrade system responsiveness, increase support costs, and erode user trust in affected products. The impact is primarily availability-focused; integrity and confidentiality are not at risk.
Affected systems
Samsung Open Source rlottie library versions before commit 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd are vulnerable. Any third-party application or framework that statically links or dynamically embeds an unpatched version of rlottie is at risk. This includes animation renderers, media editing software, and UI frameworks that use rlottie for Lottie animation playback. The exact affected products and versions depend on downstream integrations; verify your dependencies against the rlottie repository commit history.
Exploitability
Exploitability is moderate. An attacker must craft a malicious animation file (typically JSON-based Lottie format) with oversized allocation parameters and deliver it to a target user. Exploitation requires local file access and user interaction—the victim must open or import the file in an application using the vulnerable library. No network transmission or privilege escalation is needed. The barrier to exploitation is low for attackers with basic knowledge of the Lottie format, but attack surface is limited by the requirement for user action.
Remediation
Upgrade rlottie to a version incorporating commit 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd or later. Applications embedding rlottie should rebuild and redeploy with the patched library. For downstream consumers (apps using rlottie), check your dependency management tools for available updates and apply them in your next release cycle. Until patching is complete, educate users to avoid opening animation files from untrusted sources.
Patch guidance
Consult the Samsung rlottie GitHub repository (https://github.com/Samsung/rlottie) for the specific version or tag incorporating the fix commit 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd. Most projects using rlottie depend on it via package managers (e.g., npm, pip, Maven); check for available updates and test in a staging environment before production deployment. If your application statically links rlottie, you will need to rebuild and repackage. Verify the patch commit is present in your build artifacts before releasing.
Detection guidance
Monitor for abnormal memory consumption patterns in processes using rlottie, particularly when users load animation files from external sources. Implement file validation at the application level to reject Lottie files with suspiciously large allocation hints before passing them to the renderer. Network-based detection is unlikely to be effective since the attack is file-driven and local; focus on endpoint telemetry and application error logs for allocation failures or out-of-memory events tied to animation processing.
Why prioritize this
This vulnerability merits medium priority in patching schedules. Although the CVSS score of 6.1 reflects moderate severity and the attack requires user interaction, the ease of weaponization (crafting a malicious animation file) and the breadth of potential downstream users of rlottie create cumulative risk. Prioritize patching in products where animation rendering is user-facing or where animation files are imported from untrusted channels; defer patching of internal-only or air-gapped systems using rlottie if user interaction with external files is infeasible.
Risk score, explained
The CVSS 3.1 score of 6.1 (MEDIUM) reflects an attack that requires local access and user interaction (AV:L/UI:R), cannot be exploited remotely, does not require privileges (PR:N), and causes high availability impact (A:H) but limited integrity compromise (I:L). The score appropriately captures the denial-of-service potential while acknowledging the barriers to exploitation. Organizations with strict file-import policies may rate this lower in practice; those with open document-sharing practices should consider this closer to a high-priority issue.
Frequently asked questions
Can this vulnerability be exploited remotely or over the network?
No. The attack vector is local (AV:L), meaning the attacker must have the ability to place a malicious animation file on the target system or trick a local user into opening one. Network-based remote exploitation is not possible.
What is the difference between rlottie and Lottie?
Lottie is a cross-platform animation format (JSON-based) supported by Adobe and others. rlottie is Samsung's open-source rendering engine for Lottie animations. Applications that display Lottie files typically use a Lottie library or engine like rlottie; the vulnerability is in the rendering engine, not the format itself.
If we do not use animation rendering in our product, are we affected?
No. You are only affected if your product statically links, dynamically loads, or otherwise depends on the vulnerable rlottie library. Audit your dependency trees and software bill of materials (SBOM) to confirm whether rlottie is present. If it is not, there is no exposure from this CVE.
What should we tell users while we prepare a patch?
Advise users to avoid opening animation files (.json, .lottie formats) from untrusted or unexpected sources. If your application is compromised, inform users of the availability of a patch and provide clear upgrade instructions. Emphasize that the vulnerability requires user action to trigger and does not enable remote code execution or data theft.
This analysis is provided for informational purposes and reflects the state of publicly available vulnerability data as of the publication date. SEC.co does not guarantee the completeness or real-time accuracy of this intelligence. Organizations should independently verify patch availability, affected product versions, and compatibility in their environments before deployment. Consult vendor security advisories and release notes for authoritative guidance. This vulnerability analysis does not constitute professional security advice tailored to your organization; engage qualified security professionals for risk assessment and remediation planning specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-41178MEDIUMOpenTelemetry-Go Baggage Parsing DoS Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk