CVE-2026-47318
Description
Stack-based buffer overflow in Samsung rlottie due to missing bounds check, potentially triggered by malicious Lottie files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Samsung rlottie due to missing bounds check, potentially triggered by malicious Lottie files.
Vulnerability
A stack-based buffer overflow vulnerability exists in Samsung Open Source rlottie. The issue occurs because the gray_render_cubic function does not perform a bounds check before calling gray_split_cubic. This can lead to an overflow when processing Lottie files with malformed cubic curves. This affects rlottie versions prior to commit ce72b35a7ad0dded03051d3aa0ef75321c3bd035 [1].
Exploitation
An attacker can trigger this vulnerability by providing a specially crafted Lottie file containing incorrect cubic curve data. When this malicious file is processed by the rlottie library, the gray_split_cubic function will attempt to write beyond the allocated buffer on the stack, leading to the overflow. No specific network position, authentication, or user interaction is mentioned as required beyond the processing of the Lottie file.
Impact
The stack-based buffer overflow can lead to memory corruption. While the exact impact is not detailed in the provided references, buffer overflows can often be leveraged for denial-of-service conditions or, in some cases, arbitrary code execution, depending on the specific memory layout and exploitation techniques.
Mitigation
The vulnerability is addressed in rlottie by adding a bounds check before calling gray_split_cubic in the gray_render_cubic function. The fix is available in the pull request [1]. Users should update to a version of rlottie that includes this fix. The specific fixed version number or release date is not yet disclosed in the available references.
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <ce72b35a7ad0dded03051d3aa0ef75321c3bd035
Patches
19e4f354f6ebdFix stack overflow vulnerability in gray_render_cubic
1 file changed · +2 −0
src/vector/freetype/v_ft_raster.cpp+2 −0 modified@@ -806,6 +806,8 @@ gray_render_cubic(RAS_ARG_ const SW_FT_Vector* control1, continue; Split: + if ( arc - ras.bez_stack >= 31 * 3 ) + return; // bez_stack size is 32*3+1 gray_split_cubic( arc ); arc += 3; }
Vulnerability mechanics
Root cause
"A stack-based buffer overflow occurs in gray_render_cubic due to missing bounds checking before calling gray_split_cubic."
Attack vector
An attacker can trigger this vulnerability by providing a specially crafted Lottie file. This file must contain incorrect cubic curve data that leads to an overflow condition within the `bez_stack` array. The overflow occurs when the `arc` offset reaches a specific value, causing writes beyond the array's boundaries.
Affected code
The vulnerability resides in the `gray_render_cubic` function within the file `src/vector/freetype/v_ft_raster.cpp`. Specifically, the issue arises from the logic that handles cubic curves and the `bez_stack` array.
What the fix does
The patch introduces a bounds check before calling `gray_split_cubic` within the `gray_render_cubic` function [patch_id=4787684]. This check ensures that the `arc` pointer does not exceed the allocated size of the `bez_stack` array. By preventing writes beyond the array's limits, the fix mitigates the stack overflow vulnerability.
Preconditions
- inputA malicious Lottie file with incorrect cubic curve data.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Samsung rlottie: Seven Medium-Severity Memory Corruption Vulnerabilities DisclosedVypr Intelligence · Jun 4, 2026