CVE-2021-31318
Description
Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the LOTCompLayerItem::LOTCompLayerItem function of their custom fork of the rlottie library. A remote attacker might be able to access heap memory out-of-bounds on a victim device via a malicious animated sticker.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Telegram apps prior to version 7.1.0 are vulnerable to a type confusion in the rlottie library that allows remote attackers to read heap memory via a malicious animated sticker.
Vulnerability
A type confusion vulnerability exists in the LOTCompLayerItem::LOTCompLayerItem function of Telegram's custom fork of the rlottie library, used for rendering animated stickers [1]. The function performs a static_cast to LOTLayerData* without verifying the object type, leading to out-of-bounds heap memory access [2]. Affected versions are Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 [1].
Exploitation
An attacker can exploit this vulnerability by sending a malicious animated sticker to a victim via Telegram [1]. No authentication or user interaction beyond opening the sticker is required. The sticker's malformed data triggers the type confusion, resulting in an out-of-bounds read from heap memory [1][2].
Impact
Successful exploitation allows a remote attacker to read out-of-bounds heap memory from the victim's Telegram process. This could lead to information disclosure of sensitive data stored in the heap, such as messages or cryptographic keys. The advisory confirms the impact as heap memory out-of-bounds access [2].
Mitigation
Telegram patched this vulnerability in versions 7.1.0 (Android 2090, iOS, and macOS), released in late September/early October 2020 [1]. Users should update to these versions or later. No workarounds are available; updating is the only remediation [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Telegram/Telegram Androiddescription
- Range: <7.1
- Range: <7.1
- Range: <7.1.0 (2090)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on loop index `pos` in `VGradientCache::generateGradientColorTable` allows heap out-of-bounds write."
Attack vector
A remote attacker sends a malicious animated sticker (Lottie JSON) to a Telegram user. When the victim's Telegram client renders the sticker, the parser reaches `VGradientCache::generateGradientColorTable`, where a loop writes to `colorTable[pos]` without checking that `pos` stays below the array size (1024). The loop condition depends on attacker-controlled float values (`curr->first`) from the sticker file, allowing the attacker to write controlled ARGB-encoded 4-byte values past the end of the heap-allocated color table [ref_id=1].
Affected code
The vulnerability resides in the `VGradientCache::generateGradientColorTable` function within `rlottie/src/vector/vdrawhelper.cpp`. The call chain starts from `LOTCompLayerItem::render` and flows through `VPainter::setBrush`, `VSpanData::setup`, `VGradientCache::getBuffer`, and `VGradientCache::addCacheElement` before reaching the vulnerable loop [ref_id=1].
What the fix does
The advisory does not include a patch diff, but states that Telegram fixed the issue in Android v7.1.0 (2090), iOS v7.1, and macOS v7.1, released in September/October 2020 [ref_id=1]. The fix likely adds a bounds check on `pos` against `size` inside the `while (fpos <= curr->first)` loop to prevent writing beyond the allocated 1024-element `colorTable` array [ref_id=1].
Preconditions
- configVictim must use Telegram Android <7.1.0 (2090), Telegram iOS <7.1, or Telegram macOS <7.1
- inputAttacker must deliver a malicious animated sticker to the victim (e.g., via chat or channel)
- inputVictim's client must render the sticker (automatic preview or explicit playback)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.