Hi,

The following vulnerability was published for rlottie.

CVE-2026-47306[0]:
| Uncontrolled Recursion vulnerability in Samsung Open Source rlottie
| allows Oversized Serialized Data Payloads.  This issue affects
| rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-47306
https://www.cve.org/CVERecord?id=CVE-2026-47306
[1] https://github.com/Samsung/rlottie/pull/585
[2] https://github.com/Samsung/rlottie/commit/1cda06022e53206c230fb0c6e38b2adaea729a5d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hello!

Some newly registered CVEs were fixed earlier in the rlottie package.

Specially,

* CVE-2026-8916 by Avoid-assertion-failures.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Avoid-assertion-failures.patch#L42

* CVE-2026-47306 by No-cyclic-structures.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/No-cyclic-structures.patch

* CVE-2026-47318 by Fortify-FreeType-raster.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Fortify-FreeType-raster.patch#L59

* CVE-2026-49510 by Fix-crash-on-invalid-data.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Fix-crash-on-invalid-data.patch#L32

The latter one is caused by an improper fix to another vulnerability known as
CVE-2025-53075 which in turn duplicates CVE-2021-31319 and was addressed in the
package almost six years ago.

However, other bugs you filed recently have not yet been fixed or fixed
partially and do affect rLottie in Debian.