VYPR
← All advisories
Unrated severityNVD Advisory· Published May 18, 2021· Updated Aug 3, 2024

CVE-2021-31320

CVE-2021-31320

Description

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the VGradientCache::generateGradientColorTable function of their custom fork of the rlottie library. A remote attacker might be able to overwrite heap memory out-of-bounds on a victim device via a malicious animated sticker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer overflow in Telegram's rlottie library allows remote attackers to overwrite heap memory via a malicious animated sticker.

Vulnerability

A heap buffer overflow exists in the VGradientCache::generateGradientColorTable function of Telegram's custom fork of the rlottie library. The affected versions are Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 [1][2]. The vulnerability is caused by a while loop that does not properly limit the pos variable, which can exceed the size of the colorTable array (1024 elements) when a crafted animated sticker provides a large curr->first float value [2]. This leads to an out-of-bounds write of 4 bytes (a uint32_t) beyond the heap-allocated buffer.

Exploitation

An attacker can exploit this vulnerability by sending a malicious animated sticker to a victim via Telegram. No authentication or special privileges are required; the victim only needs to open the sticker. The attacker controls the sticker file to set curr->first to a specific large float, causing pos to exceed the array bounds. The written values are partially controlled through ARGB color constraints imposed by premulARGB() and getColorReplacement() functions, but the attacker can still influence the overwritten data [2].

Impact

Successful exploitation allows a remote attacker to overwrite heap memory out-of-bounds on the victim's device. This can lead to arbitrary code execution, denial of service, or other memory corruption consequences, depending on the overwritten data [2]. The attacker gains the ability to corrupt heap structures, potentially compromising the confidentiality, integrity, or availability of the application.

Mitigation

Telegram fixed this vulnerability in versions Android v7.1.0 (2090) released on September 30, 2020, iOS v7.1 released on September 30, 2020, and macOS v7.1 released on October 2, 2020 [1]. Users should update their Telegram clients to these or later versions. No workarounds are available for unpatched versions.

References
  1. Shielder - Hunting for bugs in Telegram's animated stickers remote attack surface
  2. Shielder - Telegram rlottie 6.1.1_1946 VGradientCache::generateGradientColorTable Heap Buffer Overflow

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check on the loop index `pos` in `VGradientCache::generateGradientColorTable` allows writing past the end of a fixed-size heap buffer."

Attack vector

An attacker sends a malicious animated sticker (a Lottie JSON file) to a Telegram user. When the victim's Telegram client renders the sticker, the parser reaches `VGradientCache::generateGradientColorTable` [ref_id=1]. The attacker controls the `curr->first` float value in the gradient stops, which causes the `while (fpos &lt;= curr->first)` loop to write `colorTable[pos]` entries beyond the allocated 1024-element buffer [ref_id=1]. The written data is constrained to ARGB-encoded colors derived from the sticker's gradient stops, but the number of out-of-bounds writes is attacker-controlled [ref_id=1].

Affected code

The vulnerability resides in `VGradientCache::generateGradientColorTable` in `rlottie/src/vector/vdrawhelper.cpp` [ref_id=1]. The function writes into a fixed-size `uint32_t` array (`colorTable`, size 1024) without checking that the index `pos` stays below that size [ref_id=1].

What the fix does

Telegram patched the issue in versions 7.1.0 (Android), 7.1 (iOS), and 7.1 (macOS), released September–October 2020 [ref_id=1]. The advisory does not include a patch diff, but the fix is described as adding a bounds check on `pos` against `size` in the `while` loop of `generateGradientColorTable`, preventing the out-of-bounds write [ref_id=1]. No further technical details of the patch are provided in the reference.

Preconditions

  • configVictim must use a Telegram client (Android <7.1.0, iOS <7.1, or macOS <7.1) that renders animated stickers via the rlottie library
  • inputAttacker must deliver a crafted Lottie JSON file as an animated sticker to the victim
  • networkNo authentication bypass or special network position required; the sticker can be sent through normal Telegram messaging

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.