CVE-2021-31318: 
NixOS vulnerability analysis and mitigation

CVE-2021-31318 affects Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1, involving a Type Confusion vulnerability in the LOTCompLayerItem::LOTCompLayerItem function of their custom fork of the rlottie library. The vulnerability was discovered and reported in 2020, with patches released in September and October 2020 (Ubuntu Security, Shielder Advisory).

The vulnerability is a type confusion in LOTCompLayerItem::LOTCompLayerItem where an object of an unverified type is subject to a static_cast, resulting in an out-of-bounds memory access. The issue occurs when a static cast is performed without any type check against objects that do not share the LOTGroupData parent. The vulnerability has a CVSS v3.1 score of 5.5 (Medium) (Ubuntu Security).

A remote attacker could potentially access heap memory out-of-bounds on a victim's device through a malicious animated sticker. The vulnerability could lead to information disclosure and potential memory corruption (Shielder Advisory).

The issue was patched in Telegram Android v7.1.0 (2090), Telegram iOS v7.1, and Telegram macOS v7.1. Telegram implemented additional security measures by verifying that animated stickers in secret chats are part of legitimate sticker sets before processing them. Users should update to these versions or later to mitigate the vulnerability (Shielder Advisory).