CVE-2026-47306
Description
rlottie's uncontrolled recursion allows crafted Lottie files to crash the process via SIGSEGV.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rlottie's uncontrolled recursion allows crafted Lottie files to crash the process via SIGSEGV.
Vulnerability
An uncontrolled recursion vulnerability exists in Samsung Open Source rlottie, specifically within the renderer::CompLayer::CompLayer() function called via createLayerItem(). This issue is triggered by malicious Lottie JSON files containing self-referencing or mutually referencing precomp assets, such as an asset "a" that includes a layer with refId="a". This leads to infinite recursion and a SIGSEGV crash. The vulnerability affects rlottie versions before commit e2d19e3b150e0e4a9586fa90b56fd3061cc98945 [1].
Exploitation
An attacker needs to provide a specially crafted Lottie JSON file to a user or process that utilizes the rlottie library for rendering. The malicious file must contain a circular dependency among its precomp assets. When rlottie attempts to parse and render this file, the infinite recursion will be triggered, leading to a crash.
Impact
Successful exploitation of this vulnerability results in a denial-of-service condition, causing the process rendering the Lottie file to crash with a SIGSEGV signal. This prevents the intended content from being displayed and can disrupt the application's functionality.
Mitigation
The vulnerability is addressed by a fix merged in pull request #585, which detects and handles cyclic asset dependencies by skipping problematic precomp layers. This change is incorporated in rlottie commit e2d19e3b150e0e4a9586fa90b56fd3061cc98945. Users should update to a version of rlottie that includes this commit or later. No other mitigation details are available in the provided references [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <e2d19e3b150e0e4a9586fa90b56fd3061cc98945
Patches
11cda06022e53Fix infinite recursion caused by circular asset references in Lottie files
1 file changed · +38 −0
src/lottie/lottieparser.cpp+38 −0 modified@@ -54,6 +54,8 @@ // the parse. #include <array> +#include <queue> +#include <unordered_set> #include "lottiemodel.h" #include "rapidjson/document.h" @@ -647,12 +649,48 @@ model::BlendMode LottieParserImpl::getBlendMode() void LottieParserImpl::resolveLayerRefs() { + // Build directed graph: assetId → direct precomp refIds. + // Then BFS from each asset to detect if it can reach itself (cycle). + std::unordered_set<std::string> cyclicAssets; + { + std::unordered_map<std::string, std::vector<std::string>> deps; + for (const auto &kv : compRef->mAssets) { + for (const auto &obj : kv.second->mLayers) { + if (obj->type() != model::Object::Type::Layer) continue; + auto layer = static_cast<model::Layer *>(obj); + if (layer->mLayerType == model::Layer::Type::Precomp && + layer->mExtra && !layer->mExtra->mPreCompRefId.empty()) { + deps[kv.first].push_back(layer->mExtra->mPreCompRefId); + } + } + } + for (const auto &kv : deps) { + const std::string & startId = kv.first; + std::unordered_set<std::string> visited; + std::queue<std::string> q; + for (const auto &dep : kv.second) q.push(dep); + while (!q.empty()) { + std::string id = q.front(); q.pop(); + if (id == startId) { cyclicAssets.insert(startId); break; } + if (!visited.insert(id).second) continue; + auto it = deps.find(id); + if (it != deps.end()) + for (const auto &dep : it->second) q.push(dep); + } + } + } + for (const auto &layer : mLayersToUpdate) { auto search = compRef->mAssets.find(layer->extra()->mPreCompRefId); if (search != compRef->mAssets.end()) { if (layer->mLayerType == model::Layer::Type::Image) { layer->extra()->mAsset = search->second; } else if (layer->mLayerType == model::Layer::Type::Precomp) { + if (cyclicAssets.count(search->first)) { + vWarning << "Circular asset reference detected, ignoring: " + << search->first; + continue; + } layer->mChildren = search->second->mLayers; layer->setStatic(layer->isStatic() && search->second->isStatic());
Vulnerability mechanics
Root cause
"Uncontrolled recursion occurs due to circular asset references in Lottie files."
Attack vector
An attacker can craft a malicious Lottie JSON file containing a self-referencing or mutually referencing precomp asset. When this file is processed, it can lead to infinite recursion in the `renderer::CompLayer::CompLayer()` function via `createLayerItem()`. This uncontrolled recursion can ultimately crash the process with a SIGSEGV signal [patch_id=4787685].
Affected code
The vulnerability lies within the `resolveLayerRefs()` function in `src/lottie/lottieparser.cpp`. Specifically, the logic for resolving precomposition references (`PrecompRefId`) was susceptible to infinite loops when encountering circular dependencies between assets.
What the fix does
The patch modifies the `resolveLayerRefs()` function to detect circular asset dependencies before assigning children to layers. It builds a directed asset dependency graph and performs a Breadth-First Search (BFS) from each asset to identify cycles. If a Precomp layer's reference ID resolves to a cyclic asset, that layer is skipped, preventing infinite recursion and process crashes [patch_id=4787685].
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Samsung rlottie: Seven Medium-Severity Memory Corruption Vulnerabilities DisclosedVypr Intelligence · Jun 4, 2026