Hi,

The following vulnerability was published for rlottie.

CVE-2026-8916[0]:
| Out-of-bounds write vulnerability in Samsung Open Source rlottie
| allows Overflow Buffers.  This issue affects rlottie:
| before dcfde72eae1b0464dc0dd760aec00ada6a148635.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8916
https://www.cve.org/CVERecord?id=CVE-2026-8916
[1] https://github.com/Samsung/rlottie/pull/589
[2] https://github.com/Samsung/rlottie/commit/ffe60942892c3d68b14560761ea920d360ef51bb

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hello!

Some newly registered CVEs were fixed earlier in the rlottie package.

Specially,

* CVE-2026-8916 by Avoid-assertion-failures.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Avoid-assertion-failures.patch#L42

* CVE-2026-47306 by No-cyclic-structures.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/No-cyclic-structures.patch

* CVE-2026-47318 by Fortify-FreeType-raster.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Fortify-FreeType-raster.patch#L59

* CVE-2026-49510 by Fix-crash-on-invalid-data.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Fix-crash-on-invalid-data.patch#L32

The latter one is caused by an improper fix to another vulnerability known as
CVE-2025-53075 which in turn duplicates CVE-2021-31319 and was addressed in the
package almost six years ago.

However, other bugs you filed recently have not yet been fixed or fixed
partially and do affect rLottie in Debian.