Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ffmpeg (2 articles)Clear

FFmpeg PixelSmash flaw enables code execution on media servers via crafted videos

FFmpeg has patched PixelSmash, a heap overflow in the MagicYUV video decoder of its libavcodec library that a crafted AVI, MKV, or MOV file can trigger, even during automated thumbnail generation or media scanning. The flaw (CVE-2026-8461) can crash applications or, where address-space randomization is disabled or bypassed, lead to remote code execution; researchers demonstrated full code execution on a Jellyfin media server. Because FFmpeg is embedded almost everywhere video is processed, the bug reaches many self-hosted tools, including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. The fix shipped in FFmpeg 8.1.2, and several affected projects have updated or added mitigations.

Check
Identify self-hosted media and file-handling services that bundle FFmpeg, check their FFmpeg version, and determine whether they automatically process or generate thumbnails from user-supplied video files.
Affected
Applications using FFmpeg before 8.1.2 with the MagicYUV decoder enabled (CVE-2026-8461), including media servers like Jellyfin, Emby, Kodi, Nextcloud, PhotoPrism, and OBS Studio that ingest untrusted video files.
Fix
Update to FFmpeg 8.1.2 or later, or update the bundled application that ships it. Where patching lags, disable the MagicYUV decoder or block untrusted AVI, MKV, and MOV uploads until fixed.

AI agent finds 21 FFmpeg zero-days, public exploit code released

A security startup's autonomous AI agent scanned FFmpeg, the open-source media library built into countless video and audio tools, and turned up 21 previously unknown bugs, each with working proof-of-concept code that crashes or corrupts memory when the software processes a malicious media file. Several flaws are 15 to 20 years old; one dates back to 2003. Nine already carry CVE numbers (CVE-2026-39210 through CVE-2026-39218), and the rest are fixed but not yet numbered. The whole run cost about $1,000. Because FFmpeg sits inside browsers, media servers, and apps everywhere, any product that decodes untrusted video could be at risk.

Check
Inventory software and services that bundle FFmpeg or libav, especially media servers and transcoding pipelines that decode untrusted, user-supplied video or audio files.
Affected
FFmpeg builds containing the affected parsers and demuxers (TS, VP9, DASH, and others). Nine flaws tracked as CVE-2026-39210 through CVE-2026-39218; remaining bugs fixed but unnumbered.
Fix
Apply upstream fixes by updating to the newest official FFmpeg build; distributions are shipping patches now. Rebuild any app that statically bundles FFmpeg against the fixed code.