Hi,

The following vulnerability was published for rlottie.

CVE-2026-49510[0]:
| Integer overflow or wraparound vulnerability in Samsung Open Source
| rlottie allows Integer Attacks.  This issue affects
| rlottie: before 21292665023e5074b38254432716866d00f1985f.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49510
https://www.cve.org/CVERecord?id=CVE-2026-49510
[1] https://github.com/Samsung/rlottie/pull/592

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hello!

Some newly registered CVEs were fixed earlier in the rlottie package.

Specially,

* CVE-2026-8916 by Avoid-assertion-failures.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Avoid-assertion-failures.patch#L42

* CVE-2026-47306 by No-cyclic-structures.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/No-cyclic-structures.patch

* CVE-2026-47318 by Fortify-FreeType-raster.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Fortify-FreeType-raster.patch#L59

* CVE-2026-49510 by Fix-crash-on-invalid-data.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Fix-crash-on-invalid-data.patch#L32

The latter one is caused by an improper fix to another vulnerability known as
CVE-2025-53075 which in turn duplicates CVE-2021-31319 and was addressed in the
package almost six years ago.

However, other bugs you filed recently have not yet been fixed or fixed
partially and do affect rLottie in Debian.