VYPR
← All advisories
Unrated severityNVD Advisory· Published May 18, 2021· Updated Aug 3, 2024

CVE-2021-31317

CVE-2021-31317

Description

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the VDasher constructor of their custom fork of the rlottie library. A remote attacker might be able to access Telegram's heap memory out-of-bounds on a victim device via a malicious animated sticker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Type confusion in Telegram's rlottie VDasher constructor lets a remote attacker read out-of-bounds heap memory via a malicious animated sticker.

Vulnerability

A type confusion vulnerability exists in the VDasher constructor of Telegram's custom fork of the rlottie library, affecting Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1. [1] The code assumes that dash properties from an animated sticker always contain at least two values (length and gap). When only a single dash value is provided, the reinterpret_cast in the constructor treats a float* as a VDasher::Dash*, causing an out-of-bounds read of heap memory for the missing gap value. [2]

Exploitation

An attacker requires no special privileges beyond the ability to send a malicious animated sticker to a victim. The victim only needs to open the sticker, which triggers the rlottie rendering engine. The vulnerable code path is reached automatically when processing the sticker's dash array with a single element. [1][2]

Impact

Successful exploitation allows a remote attacker to read heap memory out-of-bounds from the Telegram process on the victim's device. This can lead to information disclosure of potentially sensitive data residing in adjacent heap memory. The read occurs during the updateActiveSegment function. [2]

Mitigation

Telegram fixed this issue in version 7.1.0 (2090) for Android, 7.1 for iOS, and 7.1 for macOS, released on September 30, 2020 (Android/iOS) and October 2, 2020 (macOS). [1] Users who have updated their clients within those releases are protected. No workaround exists for unpatched versions.

References
  1. Shielder - Hunting for bugs in Telegram's animated stickers remote attack surface
  2. Shielder - Telegram rlottie 7.0.1_2065 VDasher::VDasher Type Confusion

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Telegram/Telegram Androiddescription
  • Telegramdesktop/Telegramllm-fuzzy
    Range: <7.1.0 (Android), <7.1 (iOS), <7.1 (macOS)

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check on loop index in VGradientCache::generateGradientColorTable allows heap out-of-bounds write."

Attack vector

An attacker sends a malicious animated sticker (Lottie JSON) to a Telegram user. When the victim's Telegram client renders the sticker, the rlottie library parses the JSON and eventually calls `VGradientCache::generateGradientColorTable`. The attacker controls the `curr->first` float value in the gradient stop data, which determines how many times the loop writes to `colorTable[pos]`. Because `pos` is never checked against the fixed buffer size, the loop writes 4 bytes (an ARGB color value) past the end of the heap-allocated `colorTable` array. The written bytes are constrained by the `premulARGB()` encoding but are ultimately derived from attacker-supplied sticker content [ref_id=1].

Affected code

The vulnerability is in the `VGradientCache::generateGradientColorTable` function within `rlottie/src/vector/vdrawhelper.cpp`. The `colorTable` array is a fixed-size (1024) heap buffer, but the loop writes to `colorTable[pos]` without checking that `pos` remains below `size` (the array length). The loop condition depends on the attacker-controlled float `curr->first`, which can cause many iterations beyond the buffer boundary [ref_id=1].

What the fix does

The advisory does not include a patch diff, but states that Telegram fixed the issue in client versions released September–October 2020: Telegram Android v7.1.0 (2090), Telegram iOS v7.1, and Telegram macOS v7.1 [ref_id=1]. The researcher notes that the root cause is an unbounded loop where `pos` is not checked against `size` (the `colorTable` array length). The fix likely adds a bounds check on `pos` before writing to `colorTable[pos]`, or limits the loop iterations based on `size` [ref_id=1].

Preconditions

  • configVictim must use an affected Telegram client (Android <7.1.0 (2090), iOS <7.1, or macOS <7.1)
  • inputAttacker must send a malicious animated sticker (Lottie JSON) to the victim
  • inputVictim must open or view the animated sticker, triggering rlottie rendering

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.