VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 4, 2026

CVE-2026-47319

CVE-2026-47319

Description

A memory allocation vulnerability in Samsung rlottie allows excessive allocation, potentially leading to denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory allocation vulnerability in Samsung rlottie allows excessive allocation, potentially leading to denial of service.

Vulnerability

A memory allocation vulnerability exists in Samsung Open Source rlottie, specifically related to excessive size values during allocation. This issue affects rlottie versions prior to the commit 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd [1].

Exploitation

An attacker could exploit this vulnerability by providing an excessively large size value during memory allocation. The exact conditions or user interaction required to trigger this specific allocation path are not detailed in the available references.

Impact

The vulnerability allows for excessive memory allocation, which can lead to a denial-of-service condition. This means the application or system running rlottie could become unresponsive or crash.

Mitigation

The vulnerability was addressed in rlottie via pull request #588, which corresponds to the commit 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd [1]. Users should update to a version of rlottie that includes this fix. No information regarding workarounds or end-of-life status is available in the provided references.

References
  1. fixed vpath potential issue by mihashco · Pull Request #588 · Samsung/rlottie

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Rlottiereferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd

Patches

1
5def9f402b1c

fixed vpath potential issue

https://github.com/samsung/rlottieMichal SzczecinskiMay 6, 2026via nvd-ref
commitPR #588
1 file changed · +4 0
  • src/vector/vpath.cpp+4 0 modified
    @@ -517,6 +517,8 @@ void VPath::VPathData::addPolystar(float points, float innerRadius,
                                    float outerRoundness, float startAngle,
                                    float cx, float cy, VPath::Direction dir)
 {
+    constexpr float    MAX_POLY_POINTS = 1024.0f;
+    if (points > MAX_POLY_POINTS) points = MAX_POLY_POINTS;
     const static float POLYSTAR_MAGIC_NUMBER = 0.47829f / 0.28f;
     float              currentAngle = (startAngle - 90.0f) * K_PI / 180.0f;
     float              x;
@@ -622,6 +624,8 @@ void VPath::VPathData::addPolygon(float points, float radius, float roundness,
                                   VPath::Direction dir)
 {
     // TODO: Need to support floating point number for number of points
+    constexpr float    MAX_POLY_POINTS = 1024.0f;
+    if (points > MAX_POLY_POINTS) points = MAX_POLY_POINTS;
     const static float POLYGON_MAGIC_NUMBER = 0.25;
     float              currentAngle = (startAngle - 90.0f) * K_PI / 180.0f;
     float              x;

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1