FFmpeg Releases Update for Vulnerability in MagicYUV Decoder
Successful exploitation of CVE‑2026‑8461 could allow a DoS condition or RCE via crafted media files processed by applications that embed FFmpeg codecs
Summary
Successful exploitation of CVE‑2026‑8461 could allow a DoS condition or RCE via crafted media files processed by applications that embed FFmpeg codecs
Affected platforms
The following platforms are known to be affected:
Threat details
Broad range of products are affected
As FFmpeg is a backbone of media processing across the software ecosystem, it affects many applications and services that embed FFmpeg/libavcodec.
According to the JFrog blog listed at the bottom of this Cyber Alert, these products include but are not limited to:
- Jellyfin
- Nextcloud
- Desktop media players (mpv, Kodi)
- ffmpegthumbnailer (used in GNOME/KDE/XFCE)
- OBS Studio, Emby, Immich, PhotoPrism
- Systems processing video via FFmpeg (cloud pipelines, AI/ML tools, collaboration platforms)
Introduction
FFmpeg has released a security update to address a high severity vulnerability in its libavcodec library, specifically in the MagicYUV decoder. Exploitation requires only that a target system processes the malicious file, which can occur automatically in many scenarios (such as thumbnail generation, preview rendering, or media ingestion pipelines).
Due to FFmpeg’s extensive use across desktop applications, cloud services, and server-side platforms, the potential impact spans a wide range of systems and third-party suppliers. Many downstream applications may not be able to independently detect or mitigate it.
Successful exploitation could allow remote code execution (RCE) or denial-of-service (DoS) through malicious media processing, triggered by common video formats such as AVI, MKV, and MOV files.
A proof-of-concept (POC) blog post has been published, outlining how unauthenticated users could exploit the vulnerability, in some cases without user interaction.
- CVE‑2026‑8461 - Heap-based buffer overflow (out-of-bounds write) - CVSSv3 score: 8.8
Proof-of-concept exploit
The PoC exploit methodology of this vulnerability, also known as "Pixel Smash", has been published by a software supply chain security company.
NHS England's National Cyber Security Operations Centre (CSOC) considers exploitation as likely due to the existence of public PoC exploit code.
Remediation advice
Affected organisations are encouraged to review FFmpeg security updates relating to CVE‑2026‑8461 and apply the relevant update (version 8.1.2 or later) as soon as possible. Further guidance is available below.
Remediation steps
| Type | Step |
|---|---|
| Patch |
Update FFmpeg to 8.1.2 or later. https://ffmpeg.org/download.html |
| Guidance |
Identify systems and suppliers using FFmpeg or libavcodec. Pay particular attention to:
The company that released the PoC blog has said that detecting the vulnerable MagicYUV decoder can be done by running the following command: ffmpeg -decoders 2>/dev/null | grep magicyuv JFrog say that "if the output includes VFS..D magicyuv, your FFmpeg build is vulnerable. The MagicYUV decoder is enabled by default in every upstream FFmpeg build and every distribution package we tested (Ubuntu, Debian, Fedora, Arch, Alpine) before version 9.0." https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/ |
| Guidance |
Reduce Attack Surface
|
Definitive source of threat updates
Last edited: 25 June 2026 3:59 pm