FFmpeg patched CVE-2026-8461, a high-severity heap out-of-bounds write flaw dubbed PixelSmash in the libavcodec MagicYUV decoder. The bug is triggered by an odd slice_height condition while parsing malicious AVI, MKV, or MOV files and affects FFmpeg versions before 8.1.2. The vulnerability can cause denial of service and, in some environments, lead to remote code execution.
JFrog reported that applications embedding FFmpeg are exposed through their media-processing pipelines, and demonstrated full remote code execution against Jellyfin 10.11.9 via its automated media library scan workflow, although successful RCE required ASLR to be disabled or bypassed. Nextcloud was also identified as potentially vulnerable under additional conditions, while Plex appears largely protected by a restricted custom FFmpeg build. Organizations using FFmpeg directly or through downstream products have been urged to upgrade to FFmpeg 8.1.2 or later and apply vendor patches because the decoder’s broad adoption creates a notable supply-chain exposure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
JFrog reported achieving full remote code execution against Nextcloud using CVE-2026-8461 by corrupting FFmpeg heap structures and forcing a call to system() with attacker-controlled input. The report indicates Nextcloud, like Jellyfin, can be exposed through automated media processing workflows.
JFrog said CVE-2026-8461 affects additional applications beyond those previously highlighted, naming Kodi, mpv, Emby, Immich, PhotoPrism, OBS Studio, and ffmpegthumbnailer among confirmed targets. The report described broad exposure across desktop players, media servers, NAS devices, and automated thumbnailing or transcoding workflows.
Following the FFmpeg fix for CVE-2026-8461, Jellyfin updated its bundled FFmpeg. The reporting also noted Plex appeared effectively mitigated through a restricted custom FFmpeg build.
FFmpeg addressed the MagicYUV decoder heap out-of-bounds write vulnerability in version 8.1.2. Guidance in the references recommends updating to FFmpeg 8.1.2 or later to remediate the issue.
JFrog demonstrated full remote code execution against Jellyfin 10.11.9 through its automated media library scan pipeline using CVE-2026-8461. The researchers noted exploitation required ASLR to be disabled or another vulnerability to bypass that protection.
JFrog disclosed CVE-2026-8461, dubbed PixelSmash, a high-severity heap out-of-bounds write in FFmpeg's MagicYUV decoder that can be triggered by malicious AVI, MKV, or MOV files. The flaw affects FFmpeg versions before 8.1.2 and can lead to denial of service and, in some cases, remote code execution.
JFrog disclosed CVE-2026-8461, dubbed PixelSmash, to FFmpeg developers on 2026-05-13. This private report preceded the public disclosure and later fix in FFmpeg 8.1.2.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
malware.news
Open sourcexakep.ru
Open sourcescworld.com
Open sourcesecurityweek.com
Open sourcejfrog.com
Open sourcelists.debian.org
Open sourcebleepingcomputer.com
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.