FFmpeg MagicYUV decoder heap out-of-bounds write remote code execution flaw (CVE-2026-8461)

Timeline

1. 22.06.2026 03:00 1 articles · 22h ago

   JFrog reports CVE-2026-8461 in FFmpeg's MagicYUV decoder

   Initial Disclosure

   JFrog reported CVE-2026-8461 to the FFmpeg security team after finding a heap out-of-bounds write in the MagicYUV decoder that could crash FFmpeg-based applications and, under some conditions, enable remote code execution on Jellyfin or denial of service on other libavcodec users.

   Show sources

   • FFmpeg fixes PixelSmash flaw in widely used video decoder — www.bleepingcomputer.com — 23.06.2026 00:05

   Open in new tab
2. 22.06.2026 03:00 1 articles · 22h ago

   FFmpeg 8.1.2 fixes the PixelSmash vulnerability

   Mitigation Patch Update

   FFmpeg released version 8.1.2 to fix CVE-2026-8461, and downstream maintainers including Jellyfin updated their bundled FFmpeg while PhotoPrism worked on a file-format blocklist to reduce exposure to malicious AVI, MKV, or MOV files.

   Show sources

   • FFmpeg fixes PixelSmash flaw in widely used video decoder — www.bleepingcomputer.com — 23.06.2026 00:05

   Open in new tab
3. 22.06.2026 03:00 2 articles · 22h ago

   PixelSmash exposure spans Jellyfin, Nextcloud, and other FFmpeg-based media apps

   Campaign Scope Update

   JFrog detailed that PixelSmash can be triggered by crafted AVI, MKV, or MOV files opened directly, detected during thumbnail generation, or processed through automated media ingestion, and demonstrated remote code execution on Jellyfin and Nextcloud when ASLR is disabled or bypassed. The same analysis also extended the risk to Kodi, Emby, PhotoPrism, OBS Studio, GNOME/KDE/XFCE thumbnail generators, and other projects that trust FFmpeg to handle untrusted input safely.

   Show sources

   • FFmpeg fixes PixelSmash flaw in widely used video decoder — www.bleepingcomputer.com — 23.06.2026 00:05
   • FFmpeg fixes PixelSmash flaw in widely used video decoder — www.bleepingcomputer.com — 23.06.2026 00:05

   Open in new tab