CVE-2026-8916
Out-of-Bounds Write in Samsung rlottie
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: Samsung TV & Appliance
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samsung | rlottie | to dcfde72eae1b0464dc0dd760aec00ada6a148635 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8916 is an out-of-bounds write vulnerability in the Samsung Open Source rlottie library. It involves an integer overflow issue in the point and contour counters used in the SW_FT_Outline component of rlottie. This overflow can cause buffer overflow conditions, potentially leading to memory corruption.
The vulnerability was fixed by correcting the integer overflow in these counters to ensure proper handling of values and prevent exploitation.
How can this vulnerability impact me? :
This vulnerability can lead to an out-of-bounds write, which may cause memory corruption. Such corruption can result in application crashes or potentially allow an attacker to execute arbitrary code or escalate privileges within the affected system.
According to the CVSS v3.1 score of 6.1, the vulnerability requires local access with low attack complexity and user interaction, and it impacts the availability and integrity of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the rlottie library to a version that includes the fix for CVE-2026-8916.
The fix was implemented in a pull request (#589) merged on May 12, 2026, which corrects the integer overflow in the SW_FT_Outline point and contour counters.
Applying this update will prevent the out-of-bounds write vulnerability caused by overflow buffers.