FFmpeg has patched PixelSmash, a heap overflow in the MagicYUV video decoder of its libavcodec library that a crafted AVI, MKV, or MOV file can trigger, even during automated thumbnail generation or media scanning. The flaw (CVE-2026-8461) can crash applications or, where address-space randomization is disabled or bypassed, lead to remote code execution; researchers demonstrated full code execution on a Jellyfin media server. Because FFmpeg is embedded almost everywhere video is processed, the bug reaches many self-hosted tools, including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. The fix shipped in FFmpeg 8.1.2, and several affected projects have updated or added mitigations.
A security startup's autonomous AI agent scanned FFmpeg, the open-source media library built into countless video and audio tools, and turned up 21 previously unknown bugs, each with working proof-of-concept code that crashes or corrupts memory when the software processes a malicious media file. Several flaws are 15 to 20 years old; one dates back to 2003. Nine already carry CVE numbers (CVE-2026-39210 through CVE-2026-39218), and the rest are fixed but not yet numbered. The whole run cost about $1,000. Because FFmpeg sits inside browsers, media servers, and apps everywhere, any product that decodes untrusted video could be at risk.