CVE-2026-8461 "PixelSmash": critical FFmpeg MagicYUV flaw enables zero-interaction RCE — patch to 8.1.2 now

Security firm JFrog disclosed a critical heap out-of-bounds write vulnerability in FFmpeg’s MagicYUV lossless video codec decoder, tracked as CVE-2026-8461 with a CVSS score of 8.8. FFmpeg has released version 8.1.2 with a patch; as a workaround, the MagicYUV decoder can be disabled at build time. The root cause is a rounding mismatch: when processing video frames with odd-numbered slice heights, the decoder allocates a smaller buffer than it writes to, overflowing by up to 640 bytes per row into FFmpeg’s own AVBuffer struct — a data structure containing a cleanup function pointer. Attackers overwrite that pointer to redirect execution, achieving full code execution without authentication or elevated privileges. JFrog demonstrated the exploit by spawning a shell on a Jellyfin 10.11.9 media server via its normal library scan pipeline, and also achieved compromise via Nextcloud’s movie preview thumbnail generator.

The vulnerability’s blast radius is exceptional. FFmpeg’s libavcodec ships as a transitive dependency in virtually every application that handles video, and the MagicYUV decoder is enabled by default in all upstream builds. Confirmed crash targets include Kodi, mpv, ffmpegthumbnailer (used by GNOME, KDE, and XFCE), Emby, Immich, PhotoPrism, and OBS Studio; full RCE was demonstrated against Jellyfin and Nextcloud. On desktops, merely browsing to a folder containing a malicious video file is sufficient — the file manager’s thumbnail generator triggers the flaw without the file ever being opened. On servers, uploading a crafted AVI, MKV, or MOV file to a media platform or cloud transcoding service triggers automatic processing. JFrog notes that exploitation is entirely silent: no error is displayed, and the resulting crash is buried in server-side logs that typically go unmonitored. The vulnerability also extends to AI frameworks and GPU-accelerated data pipelines that use FFmpeg for media ingestion.

Cybernews | JFrog