CVE-2026-49510
Integer Overflow in Samsung rlottie Library
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: Samsung TV & Appliance
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samsung | rlottie | to 21292665023e5074b38254432716866d00f1985f (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an integer overflow issue in the Samsung Open Source rlottie library, specifically in the Gradient::populate() function. When untrusted JSON input provides a colorPoints value that is very large (greater than or equal to 0x40000000), multiplying this value by 4 causes an integer overflow. This overflow results in the calculation wrapping around to zero, which bypasses the bounds check and leads to a heap buffer over-read during gradient rendering.
How can this vulnerability impact me? :
The integer overflow can cause a heap buffer over-read, which may lead to application crashes or potentially allow an attacker to read sensitive memory contents. According to the CVSS score (6.1), the impact includes low integrity and high availability impact, meaning the vulnerability could disrupt the normal operation of the application and possibly allow unauthorized modification of data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from a signed integer overflow in the Gradient::populate() function when processing untrusted JSON input with a specific field (g.p) set to very large values. Detection would involve monitoring or analyzing inputs to the rlottie library, especially JSON data that includes the colorPoints or g.p field with values greater than or equal to 0x40000000.
Since the issue is triggered by specific input values causing integer overflow, detection on a system could involve:
- Reviewing logs or application inputs for unusually large values in the g.p field of JSON data processed by rlottie.
- Using debugging or instrumentation tools to monitor calls to the Gradient::populate() function for suspicious parameter values.
There are no explicit commands provided in the resources to detect this vulnerability automatically.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability was fixed by a patch that addresses the integer overflow in the Gradient::populate() function by properly handling large values in the colorPoints field.
Immediate mitigation steps include:
- Update rlottie to the fixed version that includes the patch from the referenced pull request.
- If updating is not immediately possible, restrict or sanitize untrusted JSON inputs to ensure the g.p field does not contain values greater than or equal to 0x40000000.
- Monitor applications using rlottie for unusual crashes or behavior that might indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the integer overflow vulnerability in Samsung Open Source rlottie impacts compliance with common standards and regulations such as GDPR or HIPAA.