VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 4, 2026

CVE-2026-49510

CVE-2026-49510

Description

Integer overflow in Samsung rlottie's Gradient::populate() can lead to heap buffer over-read during gradient rendering.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in Samsung rlottie's Gradient::populate() can lead to heap buffer over-read during gradient rendering.

Vulnerability

An integer overflow or wraparound vulnerability exists in Samsung's rlottie library, specifically within the src/lottie/lottiemodel.cpp file. The colorPoints value, derived from untrusted JSON input (the g.p field), can be set to values greater than or equal to 0x40000000. This causes colorPoints * 4 to overflow to 0, bypassing a bounds check. This issue affects rlottie versions prior to 21292665023e5074b38254432716866d00f1985f [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted JSON input to the rlottie library. The input must contain a g.p field with a colorPoints value of 0x40000000 or higher. This crafted input, when processed by the Gradient::populate() function, will trigger the integer overflow and bypass the intended bounds check.

Impact

Successful exploitation of this vulnerability results in a heap buffer over-read during the gradient rendering process. This can potentially lead to denial-of-service or information disclosure, depending on the subsequent memory corruption.

Mitigation

The vulnerability is addressed in rlottie by commit 21292665023e5074b38254432716866d00f1985f [1]. Users are advised to update to a version of rlottie that includes this fix. No other mitigation or workaround details are available in the provided references.

References
  1. Fix integer overflow in Gradient::populate() by mihashco · Pull Request #592 · Samsung/rlottie

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Rlottiereferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <21292665023e5074b38254432716866d00f1985f

Patches

1
8ad981614f8c

Merge 21292665023e5074b38254432716866d00f1985f into ffe60942892c3d68b14560761ea920d360ef51bb

https://github.com/samsung/rlottiemihashcoJun 1, 2026via nvd-ref
commitPR #592
1 file changed · +5 2
  • src/lottie/lottiemodel.cpp+5 2 modified
    @@ -250,11 +250,14 @@ void model::Gradient::populate(VGradientStops &stops, int frameNo)
     auto                  size = gradData.mGradient.size();
     float *               ptr = gradData.mGradient.data();
     int                   colorPoints = mColorPoints;
-    size_t                colorPointsSize = colorPoints * 4;
     if (!ptr) return;
-    if (colorPoints < 0 || colorPointsSize > size) {  // for legacy bodymovin (ref: lottie-android)
+    if (colorPoints > 0 && (size_t)colorPoints > size / 4) {
         colorPoints = int(size / 4);
     }
+    if (colorPoints < 0) {  // for legacy bodymovin (ref: lottie-android)
+        colorPoints = int(size / 4);
+    }
+    size_t                colorPointsSize = (size_t)colorPoints * 4;
     auto   opacityArraySize = size - colorPointsSize;
     if (opacityArraySize % 2 != 0) {
         opacityArraySize = 0;

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

1

News mentions

1