CVE-2026-47306
Uncontrolled Recursion in Samsung rlottie
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: Samsung TV & Appliance
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samsung | rlottie | to e2d19e3b150e0e4a9586fa90b56fd3061cc98945 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-47306 vulnerability is an uncontrolled recursion flaw in the Samsung rlottie library. It occurs when malicious Lottie JSON files contain circular asset references, such as an asset referencing itself or another asset in a cycle. This causes the renderer's function to call itself recursively without limits, leading to a crash with a segmentation fault.
The issue arises specifically in the renderer's CompLayer constructor calling createLayerItem recursively. The fix involves detecting cycles in asset references by building a directed dependency graph and using a breadth-first search to find cycles. When a cycle is detected, the problematic layer is skipped to prevent the crash.
How can this vulnerability impact me? :
This vulnerability can cause the rlottie renderer to crash due to infinite recursion triggered by maliciously crafted Lottie JSON files with circular references. The crash results in a segmentation fault, which can lead to denial of service or application instability when processing such files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests when the rlottie renderer processes malicious Lottie JSON files containing circular asset references, causing infinite recursion and a crash with a segmentation fault (SIGSEGV). Detection involves monitoring for such crashes or segmentation faults related to rlottie.
You can detect this issue by observing application logs or system logs for segmentation faults or crashes triggered by rlottie when rendering Lottie JSON files.
Since the issue is triggered by specific Lottie JSON files with circular references, you can also analyze Lottie JSON files for circular asset references manually or with custom scripts.
- Use system tools like `dmesg` or `journalctl` to check for segmentation faults related to rlottie: `dmesg | grep rlottie` or `journalctl -xe | grep rlottie`.
- Run the application or service using rlottie under a debugger (e.g., gdb) to catch segmentation faults and analyze the call stack.
- Inspect Lottie JSON files for circular references by parsing the asset references and checking for cycles in the dependency graph.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the rlottie library to a version that includes the fix which introduces cycle detection in the `resolveLayerRefs()` function.
The fix prevents infinite recursion by detecting cycles in asset references and skipping problematic Precomp layers, thus avoiding crashes.
If updating immediately is not possible, avoid processing untrusted or suspicious Lottie JSON files that may contain circular asset references.
- Apply the patch or upgrade rlottie to the commit after e2d19e3b150e0e4a9586fa90b56fd3061cc98945 where the fix was introduced.
- Implement input validation to detect and reject Lottie JSON files with circular references before rendering.
- Monitor application stability and logs for crashes related to rlottie and respond accordingly.