CVE-2021-31321
Description
Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the gray_split_cubic function of their custom fork of the rlottie library. A remote attacker might be able to overwrite Telegram's stack memory out-of-bounds on a victim device via a malicious animated sticker.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Telegram's rlottie library allows remote code execution via malicious animated sticker.
Vulnerability
Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a stack-based buffer overflow in the gray_split_cubic function of their custom fork of the rlottie library [1]. The bez_stack array has a hardcoded size of 16 * 3 + 1, but the index is not properly verified in the loop, allowing out-of-bounds writes when processing specially crafted Transform properties [2].
Exploitation
An attacker can send a malicious animated sticker to a victim using any Telegram client version before the fix. No authentication or user interaction beyond opening the sticker is required. The sticker contains specific values in the Transform property that cause the gray_split_cubic function to write beyond bez_stack boundaries, overwriting adjacent stack memory [1][2].
Impact
Successful exploitation allows a remote attacker to overwrite Telegram's stack memory out-of-bounds, potentially leading to arbitrary code execution on the victim's device with the privileges of the Telegram app [1][2].
Mitigation
Telegram released fixes in versions Android v7.1.0 (2090) (September 30, 2020), iOS v7.1 (September 30, 2020), and macOS v7.1 (October 2, 2020) [1]. Users should update to these or later versions. No workarounds are available for unpatched versions [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Telegram/Telegram Androiddescription
- Range: <7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on loop index `pos` in `VGradientCache::generateGradientColorTable` allows writing controlled ARGB values past the end of a fixed-size stack buffer."
Attack vector
An attacker crafts a malicious Lottie animated sticker (JSON) containing a gradient stop with a carefully chosen `curr->first` float value. When Telegram renders the sticker, the `generateGradientColorTable` loop writes controlled ARGB values past the end of the fixed-size `colorTable` buffer on the stack. The attacker can overwrite adjacent stack memory, potentially leading to code execution on the victim's device [ref_id=1].
Affected code
The vulnerability resides in the `VGradientCache::generateGradientColorTable` function in `rlottie/src/vector/vdrawhelper.cpp`. The `colorTable` array is allocated with a static size of 1024, but the `while (fpos <= curr->first)` loop does not check `pos` against that size, allowing out-of-bounds writes [ref_id=1].
What the fix does
Telegram patched the issue in versions 7.1.0 (Android), 7.1 (iOS), and 7.1 (macOS), released September–October 2020 [ref_id=1]. The advisory does not include a patch diff, but the fix would require adding a bounds check on `pos` against `size` inside the `while` loop to prevent writing beyond the `colorTable` array [ref_id=1].
Preconditions
- configVictim must use Telegram Android <7.1.0 (2090), Telegram iOS <7.1, or Telegram macOS <7.1
- networkAttacker sends a malicious animated sticker to the victim (e.g., via chat)
- inputVictim opens or views the animated sticker, triggering rlottie rendering
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.