VYPR
← All advisories
Unrated severityNVD Advisory· Published May 18, 2021· Updated Aug 3, 2024

CVE-2021-31322

CVE-2021-31322

Description

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library. A remote attacker might be able to access heap memory out-of-bounds on a victim device via a malicious animated sticker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Telegram Android, iOS, and macOS are affected by a heap buffer overflow in rlottie's LOTGradient::populate, allowing remote memory read via malicious animated stickers.

Vulnerability

Telegram's custom fork of the rlottie library, used to render animated stickers, contains a heap buffer overflow in the LOTGradient::populate function [1]. The vulnerability exists in versions prior to Android 7.1.0 (2090), iOS 7.1, and macOS 7.1. The root cause is insufficient validation of the number of color points read from a Lottie animation, leading to an out-of-bounds read on heap memory [2].

Exploitation

A remote attacker can exploit this vulnerability by sending a specially crafted malicious animated sticker to a Telegram user [1]. When the recipient's Telegram client renders the sticker (e.g., upon opening the sticker or viewing it in a chat), the LOTGradient::populate function is invoked with attacker-controlled data, causing a heap buffer overflow [2]. No authentication or user interaction beyond viewing the sticker is required.

Impact

Successful exploitation results in an out-of-bounds read from heap memory, potentially allowing the attacker to access sensitive information from the Telegram client's memory [1][2]. This could include message content, session tokens, or other confidential data. The vulnerability does not directly enable code execution or privilege escalation.

Mitigation

The vulnerability was fixed in Telegram Android v7.1.0 (2090), Telegram iOS v7.1, and Telegram macOS v7.1, released in September-October 2020 [1]. Users should update to these or later versions. No workaround exists other than applying the update. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Shielder - Hunting for bugs in Telegram's animated stickers remote attack surface
  2. Shielder - Telegram rlottie 6.1.1_1946 LOTGradient::populate Heap Buffer Overflow

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Telegram/Telegram Androiddescription
  • Telegramdesktop/Telegramllm-fuzzy
    Range: Android <7.1.0 (2090), iOS <7.1, macOS <7.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check on loop index `pos` in `VGradientCache::generateGradientColorTable` allows writing 4 bytes past the end of a fixed-size heap buffer."

Attack vector

A remote attacker sends a malicious animated sticker (Lottie JSON) to a Telegram user. When the victim's client renders the sticker, the `LOTGradient::populate` code path reaches `VGradientCache::generateGradientColorTable` with attacker-controlled gradient stop data (`curr->first` and `curr->second`). The loop writes 4-byte ARGB values past the end of the fixed-size `colorTable` heap buffer, causing a heap buffer overflow [ref_id=1]. No authentication or user interaction beyond viewing the sticker is required.

Affected code

The vulnerability resides in the `VGradientCache::generateGradientColorTable` function in `rlottie/src/vector/vdrawhelper.cpp`. The `colorTable` array is a heap-allocated `uint32_t` buffer of static size 1024, but the loop that writes into it does not check the index `pos` against `size` [ref_id=1].

What the fix does

Telegram patched the issue in client versions 7.1.0 (Android), 7.1 (iOS), and 7.1 (macOS) released September–October 2020 [ref_id=1]. The advisory does not include a patch diff, but the fix is described as correcting the unbounded loop in `VGradientCache::generateGradientColorTable` so that `pos` is checked against `size` before writing to `colorTable`, preventing the out-of-bounds write [ref_id=1].

Preconditions

  • configVictim uses Telegram Android <7.1.0 (2090), Telegram iOS <7.1, or Telegram macOS <7.1
  • inputAttacker sends a crafted animated sticker (Lottie JSON) to the victim
  • inputVictim views the sticker (automatic in chat preview or manual open)

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.