Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

FFmpeg 8.1.2 security update (CVE-2026-8461)

Security Patch Release
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

FFmpeg shipped version 8.1.2 to fix CVE-2026-8461 in the MagicYUV decoder, closing a heap out-of-bounds write that could affect FFmpeg-based applications. The flaw exposed media players, servers, and thumbnailing workflows that rely on libavcodec to attack via crafted AVI, MKV, or MOV files. In some cases, the bug could be pushed to remote code execution if ASLR is disabled or bypassed, and it could also cause denial of service on vulnerable targets.

Related Happenings

Langflow security patch release for CVE-2026-5027

Security Patch Release
H score38 First: 11.06.2026 00:23 Last: 11.06.2026 00:23 Sources 1

About this happening: **Langflow** shipped fixes for **CVE-2026-5027**, closing a **path traversal** flaw that let attackers write arbitrary files on exposed servers. The patch landed in **langflow-bas...

Open Happening

SolarWinds security patch release for CVE-2025-40538

Security Patch Release
H score64 First: 25.02.2026 09:04 Last: 25.02.2026 09:04 Sources 1

About this happening: **SolarWinds** released **Serv-U** updates that fix **four critical flaws** in **version 15.5**, reducing the risk of **remote code execution**. The patched issues are tracked as...

Open Happening

Digiever DS-2105 Pro active exploitation wave (CVE-2023-52163)

Exploitation Wave
H score39 First: 25.12.2025 10:07 Last: 25.12.2025 10:07 Sources 1

About this happening: **CVE-2023-52163** is being exploited at scale against **Digiever DS-2105 Pro NVRs**, with multiple reports linking abuse to **Mirai** and **ShadowV2** botnet delivery. The flaw i...

Open Happening

CISA adds CVE-2025-21042 to KEV catalog

Public Sector Action
H score48 First: 11.11.2025 12:30 Last: 11.11.2025 12:30 Sources 1

About this happening: **CISA** added **CVE-2025-21042** to the **KEV catalog**, triggering a formal federal response to a **Samsung** zero-day that had been reported as actively abused in spyware opera...

Open Happening

Timeline

  1. 23.06.2026 00:05 1 articles · 1h ago

    JFrog reports PixelSmash to the FFmpeg security team

    Initial Disclosure

    JFrog says it reported CVE-2026-8461, also called PixelSmash, to the FFmpeg security team after identifying a heap out-of-bounds write in the MagicYUV decoder that could lead to remote code execution or denial of service in FFmpeg-based applications.

    Show sources
    Open in new tab
  2. 23.06.2026 00:05 2 articles · 1h ago

    FFmpeg releases version 8.1.2 to fix CVE-2026-8461

    Mitigation Patch Update

    FFmpeg released version 8.1.2 on June 17 to fix the MagicYUV decoder flaw tracked as CVE-2026-8461, giving downstream projects an upstream patch path for the vulnerable decoder.

    Show sources
    Open in new tab
  3. 23.06.2026 00:05 1 articles · 1h ago

    PixelSmash vulnerability affects Jellyfin, Nextcloud, and other FFmpeg-based applications

    Technical Analysis Update

    The public analysis describes CVE-2026-8461 as a heap out-of-bounds write in the MagicYUV decoder that can be triggered by crafted AVI, MKV, or MOV files, can cause denial of service in applications such as Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio, and can reach remote code execution on Jellyfin when ASLR is disabled or bypassed.

    Show sources
    Open in new tab