Login Sign Up

CVE-2021-31320

7.1 HIGH

📋 TL;DR

A heap buffer overflow vulnerability in Telegram's custom rlottie library allows remote attackers to potentially execute arbitrary code or crash the application via malicious animated stickers. This affects Telegram users on Android, iOS, and macOS who receive or view these stickers. The vulnerability resides in the VGradientCache::generateGradientColorTable function.

💻 Affected Systems

Products:
  • Telegram Android
  • Telegram iOS
  • Telegram macOS
Versions: Android <7.1.0 (2090), iOS <7.1, macOS <7.1
Operating Systems: Android, iOS, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations with animated sticker support enabled are vulnerable.

📦 What is this software?

Telegram by Telegram

View all CVEs affecting Telegram →

Telegram by Telegram

View all CVEs affecting Telegram →

Telegram by Telegram

View all CVEs affecting Telegram →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent malware installation.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

No impact if patched versions are used or if animated stickers are disabled/blocked.

🌐 Internet-Facing: HIGH - Attackers can exploit remotely via malicious stickers sent through Telegram.
🏢 Internal Only: LOW - Exploitation requires receiving malicious content, not internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (viewing/receiving sticker) but no authentication. Technical details and PoC are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android 7.1.0 (2090), iOS 7.1, macOS 7.1

Vendor Advisory: https://telegram.org/blog/version-7-1

Restart Required: No

Instructions:

1. Open Telegram app. 2. Go to Settings > About. 3. Check version. 4. If below patched version, update via official app store (Google Play, App Store, Mac App Store).

🔧 Temporary Workarounds

Disable animated stickers

all

Prevent rendering of animated stickers that could trigger the vulnerability.

Not applicable - UI configuration only

Block sticker downloads

all

Use network filtering to block download of animated sticker files.

Firewall rules to block Telegram sticker CDN domains

🧯 If You Can't Patch

  • Disable animated stickers in Telegram settings immediately
  • Use web version or desktop clients (not affected) instead of mobile apps

🔍 How to Verify

Check if Vulnerable:

Check Telegram version in app settings: Android <7.1.0 (2090), iOS <7.1, macOS <7.1

Check Version:

Not applicable - check via app UI Settings > About

Verify Fix Applied:

Confirm version is Android ≥7.1.0 (2090), iOS ≥7.1, or macOS ≥7.1

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unexpected process termination

Network Indicators:

  • Downloads of animated sticker files (.tgs format) followed by crashes

SIEM Query:

Process:telegram AND (EventID:1000 OR ExceptionCode:c0000005)

📊 Metadata

CVE ID: CVE-2021-31320
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CWE: CWE-787
Published: May 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31320, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)