CVE-2026-8916
Deferred Deferred - Pending Action
Out-of-Bounds Write in Samsung rlottie

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: Samsung TV & Appliance

Description
Out-of-bounds write vulnerability in Samsung Open Source rlottie allows Overflow Buffers. This issue affects rlottie: before dcfde72eae1b0464dc0dd760aec00ada6a148635.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-8916
EUVD
EUVD-2026-34238
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samsung rlottie to dcfde72eae1b0464dc0dd760aec00ada6a148635 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8916 is an out-of-bounds write vulnerability in the Samsung Open Source rlottie library. It involves an integer overflow issue in the point and contour counters used in the SW_FT_Outline component of rlottie. This overflow can cause buffer overflow conditions, potentially leading to memory corruption.

The vulnerability was fixed by correcting the integer overflow in these counters to ensure proper handling of values and prevent exploitation.

Impact Analysis

This vulnerability can lead to an out-of-bounds write, which may cause memory corruption. Such corruption can result in application crashes or potentially allow an attacker to execute arbitrary code or escalate privileges within the affected system.

According to the CVSS v3.1 score of 6.1, the vulnerability requires local access with low attack complexity and user interaction, and it impacts the availability and integrity of the system.

Mitigation Strategies

To mitigate this vulnerability, you should update the rlottie library to a version that includes the fix for CVE-2026-8916.

The fix was implemented in a pull request (#589) merged on May 12, 2026, which corrects the integer overflow in the SW_FT_Outline point and contour counters.

Applying this update will prevent the out-of-bounds write vulnerability caused by overflow buffers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8916. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart