Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. FFmpeg PixelSmash: CVE-2026-8461 Enables RCE via Crafted Video Files Across Thousands of Apps
FFmpeg PixelSmash: CVE-2026-8461 Enables RCE via Crafted Video Files Across Thousands of Apps
NEWS

FFmpeg PixelSmash: CVE-2026-8461 Enables RCE via Crafted Video Files Across Thousands of Apps

A heap out-of-bounds write in FFmpeg's MagicYUV decoder — CVE-2026-8461, CVSS 8.8 — lets attackers execute shell commands by delivering a 50 KB video...

Dylan H.

News Desk

June 24, 2026
4 min read

Security researchers at JFrog have disclosed CVE-2026-8461 — a heap out-of-bounds write vulnerability in FFmpeg's MagicYUV decoder within libavcodec — that enables unauthenticated remote code execution through nothing more than opening a crafted video file. Dubbed PixelSmash, the flaw carries a CVSS score of 8.8 (High) and affects every application built on FFmpeg's media decoding library.

Given FFmpeg's position as the de-facto media processing backbone for thousands of applications — from media players to cloud transcoding pipelines — the blast radius of this vulnerability is exceptionally broad.

Root Cause: Height Calculation Mismatch in MagicYUV

The vulnerability stems from a subtle inconsistency between two components of the MagicYUV decoder:

  1. Frame allocator — allocates pixel buffer memory using one calculation of chroma plane height
  2. Decoder — writes pixel data using a slightly larger height calculation

This mismatch produces a heap out-of-bounds write into memory immediately following the allocated pixel buffer — where FFmpeg places its AVBuffer struct, a reference-counted buffer management object.

An attacker who can craft a malicious video file controls what gets written to that struct location, enabling:

[pixel buffer] [AVBuffer struct ← attacker-controlled OOB write]

JFrog researchers demonstrated that placing a NUL-terminated shell command at the exact out-of-bounds offset causes the command to execute via a shell callback before the resulting heap corruption triggers a crash — achieving code execution with the privileges of the decoding process.

Attack Surface: Delivery Vectors

The PixelSmash flaw is particularly dangerous because video decoding occurs automatically across many contexts:

VectorTriggerAuthentication Required
Opening a video fileManual openNone
Folder browsingThumbnail generationNone
Uploading to media serverTranscoding pipelineNone
Chat platform uploadServer-side decodeNone
Torrent downloadAutomated library scanNone

The thumbnail generation vector is especially alarming: on Linux systems, file managers such as Nautilus, Thunar, and Dolphin automatically decode video thumbnails when a user browses a directory. A malicious file placed in a shared folder or downloads directory could trigger execution before the user opens anything.

Confirmed Vulnerable Applications

Any application that links against FFmpeg's libavcodec and processes untrusted media is affected. Confirmed vulnerable apps include:

CategoryApplications
Media PlayersKodi, mpv
Thumbnail Toolsffmpegthumbnailer
Self-Hosted MediaJellyfin, Emby
File Sharing / CloudNextcloud, Immich, PhotoPrism
Streaming / RecordingOBS Studio

Beyond this confirmed list, any application using an FFmpeg version prior to 8.1.2 is potentially vulnerable — including smart TV firmware, NAS appliance software (Synology, QNAP), and cloud transcoding pipelines.

Crafted File Characteristics

  • Size: ~50 KB AVI, MKV, or MOV file
  • Payload: NUL-terminated shell command embedded at specific OOB offset
  • Detection difficulty: No known AV signatures at time of disclosure; standard media file formats
  • No authentication required for any attack vector

Patch and Remediation

FFmpeg 8.1.2 contains the fix for CVE-2026-8461. Organizations and developers should:

  1. Update FFmpeg immediately to version 8.1.2 or later
  2. Rebuild all applications that statically link libavcodec
  3. Update packaged applications (Jellyfin, Kodi, Nextcloud, etc.) once vendors release patched builds
  4. Disable thumbnail generation on file servers as a temporary measure if patching is delayed

Checking Your FFmpeg Version

ffmpeg -version | head -1
# Should show: ffmpeg version 8.1.2 or later
 
# Check if libavcodec is statically linked in your app:
ldd /usr/bin/kodi | grep avcodec
objdump -p /usr/bin/mpv | grep NEEDED | grep avcodec

Temporary Mitigations

Until patching is complete:

  • Restrict upload access on media servers to trusted users only
  • Disable automatic thumbnail generation in Nextcloud, Immich, and similar platforms
  • Sandbox media-processing services (Docker, firejail, systemd PrivateTmp=yes)
  • Monitor for unexpected child process spawning from media player or server processes

Broader Implications

CVE-2026-8461 is a reminder that the media codec attack surface is poorly appreciated in enterprise security. FFmpeg underlies:

  • Virtually every self-hosted media stack
  • Numerous chat and collaboration platforms (server-side thumbnail generation)
  • CI/CD pipelines that process video artifacts
  • Browser-based media (via WebAssembly FFmpeg forks)

Unlike typical server-side vulnerabilities, this class of bug is triggered by content ingestion — meaning that WAF rules, network segmentation, and authentication controls provide limited protection. The fix is simply: keep FFmpeg current.

Sources

  • SecurityWeek — FFmpeg PixelSmash Flaw Analysis
  • JFrog Security Research Blog
  • FFmpeg Security Advisory — CVE-2026-8461

Related Coverage

  • AI Agent Uncovers 21 Zero-Days in FFmpeg
  • Supply Chain Attack Hits Widely Used AI Package
#FFmpeg#RCE#CVE-2026-8461#Media Security#NAS#Supply Chain#JFrog

Related Articles

Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

A heap overflow in libssh2's transport layer allows a malicious SSH server to achieve pre-authentication RCE against any connecting client. All versions...

3 min read

Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Six critical flaws in protobuf.js — the JavaScript/TypeScript Protocol Buffers library — can lead to remote code execution and denial-of-service in...

4 min read

Critical Gemini CLI Flaw Enabled Host Code Execution

A critical vulnerability in Google's Gemini CLI allowed an attacker to plant a malicious configuration file that executed commands outside the sandbox,...

4 min read
Back to all News