VYPR
← All advisories
Unrated severityNVD Advisory· Published May 18, 2021· Updated Aug 3, 2024

CVE-2021-31315

CVE-2021-31315

Description

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the blit function of their custom fork of the rlottie library. A remote attacker might be able to access Telegram's stack memory out-of-bounds on a victim device via a malicious animated sticker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack buffer overflow in Telegram's custom rlottie library allows remote attackers to read out-of-bounds stack memory via a malicious animated sticker.

Vulnerability

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 use a custom fork of the rlottie library to render animated stickers. The blit function in vrle.cpp contains a stack buffer overflow due to insufficient bounds checking. Specifically, when processing multiple "maskProperties", a negative spans->x value can bypass the check if (x + l > len), leading to an out-of-bounds read from the stack buffer. The vulnerable code is at TMessagesProj/jni/rlottie/src/vector/vrle.cpp line 562 and 569 [2].

Exploitation

An attacker can craft a malicious animated sticker with specially crafted mask properties that cause a negative spans->x value. The victim only needs to receive and view the sticker in Telegram (e.g., in a chat or sticker set). No additional user interaction beyond viewing is required. The attacker does not need authentication or special network position; they can send the sticker to any Telegram user.

Impact

Successful exploitation allows a remote attacker to read out-of-bounds stack memory of the Telegram process on the victim's device. This could leak sensitive information such as encryption keys, session tokens, or other data present on the stack. The advisory notes this is a stack out-of-bounds read, not a write, so code execution is not directly achieved, but information disclosure is possible [1][2].

Mitigation

Telegram fixed this vulnerability in versions 7.1.0 (2090) for Android (released September 30, 2020), 7.1 for iOS (September 30, 2020), and 7.1 for macOS (October 2, 2020) [1]. Users should update to these versions or later. No workaround is available for older versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.

References
  1. Shielder - Hunting for bugs in Telegram's animated stickers remote attack surface
  2. Shielder - Telegram rlottie 7.0.1_2065 blit Stack Buffer Overflow

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check on the loop index `pos` in `VGradientCache::generateGradientColorTable` allows writing attacker-controlled ARGB values past the end of a fixed-size heap buffer."

Attack vector

An attacker crafts a malicious Lottie animated sticker (JSON file) containing a carefully chosen float value for `curr->first` in a gradient stop definition [ref_id=1]. When Telegram renders the sticker, the `generateGradientColorTable` function iterates while `fpos &lt;= curr-&gt;first`; because `curr-&gt;first` is attacker-controlled and the loop lacks a bounds check on `pos`, it writes past the end of the 1024-element `colorTable` array on the heap [ref_id=1]. The written bytes are constrained by the ARGB encoding performed by `premulARGB()` but are ultimately derived from attacker-supplied sticker data [ref_id=1]. The victim only needs to receive and view the animated sticker (e.g., via a Telegram chat or channel) to trigger the overflow [ref_id=1].

Affected code

The vulnerability resides in the `VGradientCache::generateGradientColorTable` function in `rlottie/src/vector/vdrawhelper.cpp` [ref_id=1]. The `colorTable` array is a fixed-size `uint32_t` buffer of 1024 elements, but the loop that writes into it does not check the index `pos` against the `size` parameter [ref_id=1].

What the fix does

Telegram patched the issue in client versions 7.1.0 (Android), 7.1 (iOS), and 7.1 (macOS) released in September/October 2020 [ref_id=1]. The advisory does not include a patch diff, but the fix is described as adding a bounds check on the `pos` index against the `size` parameter inside `generateGradientColorTable` to prevent writing beyond the allocated `colorTable` array [ref_id=1].

Preconditions

  • configVictim must use an affected Telegram client (Android <7.1.0 (2090), iOS <7.1, or macOS <7.1)
  • inputAttacker must deliver a malicious Lottie animated sticker to the victim (e.g., via a Telegram chat or channel)
  • inputVictim must view the animated sticker (automatic playback in supported clients)

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.