CVE-2026-47306
Deferred Deferred - Pending Action
Uncontrolled Recursion in Samsung rlottie

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: Samsung TV & Appliance

Description
Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads. This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-47306
EUVD
EUVD-2026-34236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samsung rlottie to e2d19e3b150e0e4a9586fa90b56fd3061cc98945 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-47306 vulnerability is an uncontrolled recursion flaw in the Samsung rlottie library. It occurs when malicious Lottie JSON files contain circular asset references, such as an asset referencing itself or another asset in a cycle. This causes the renderer's function to call itself recursively without limits, leading to a crash with a segmentation fault.

The issue arises specifically in the renderer's CompLayer constructor calling createLayerItem recursively. The fix involves detecting cycles in asset references by building a directed dependency graph and using a breadth-first search to find cycles. When a cycle is detected, the problematic layer is skipped to prevent the crash.

Impact Analysis

This vulnerability can cause the rlottie renderer to crash due to infinite recursion triggered by maliciously crafted Lottie JSON files with circular references. The crash results in a segmentation fault, which can lead to denial of service or application instability when processing such files.

Detection Guidance

This vulnerability manifests when the rlottie renderer processes malicious Lottie JSON files containing circular asset references, causing infinite recursion and a crash with a segmentation fault (SIGSEGV). Detection involves monitoring for such crashes or segmentation faults related to rlottie.

You can detect this issue by observing application logs or system logs for segmentation faults or crashes triggered by rlottie when rendering Lottie JSON files.

Since the issue is triggered by specific Lottie JSON files with circular references, you can also analyze Lottie JSON files for circular asset references manually or with custom scripts.

  • Use system tools like `dmesg` or `journalctl` to check for segmentation faults related to rlottie: `dmesg | grep rlottie` or `journalctl -xe | grep rlottie`.
  • Run the application or service using rlottie under a debugger (e.g., gdb) to catch segmentation faults and analyze the call stack.
  • Inspect Lottie JSON files for circular references by parsing the asset references and checking for cycles in the dependency graph.
Mitigation Strategies

To mitigate this vulnerability, update the rlottie library to a version that includes the fix which introduces cycle detection in the `resolveLayerRefs()` function.

The fix prevents infinite recursion by detecting cycles in asset references and skipping problematic Precomp layers, thus avoiding crashes.

If updating immediately is not possible, avoid processing untrusted or suspicious Lottie JSON files that may contain circular asset references.

  • Apply the patch or upgrade rlottie to the commit after e2d19e3b150e0e4a9586fa90b56fd3061cc98945 where the fix was introduced.
  • Implement input validation to detect and reject Lottie JSON files with circular references before rendering.
  • Monitor application stability and logs for crashes related to rlottie and respond accordingly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47306. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart