Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: media-server (1 article)Clear

FFmpeg PixelSmash flaw enables code execution on media servers via crafted videos

FFmpeg has patched PixelSmash, a heap overflow in the MagicYUV video decoder of its libavcodec library that a crafted AVI, MKV, or MOV file can trigger, even during automated thumbnail generation or media scanning. The flaw (CVE-2026-8461) can crash applications or, where address-space randomization is disabled or bypassed, lead to remote code execution; researchers demonstrated full code execution on a Jellyfin media server. Because FFmpeg is embedded almost everywhere video is processed, the bug reaches many self-hosted tools, including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. The fix shipped in FFmpeg 8.1.2, and several affected projects have updated or added mitigations.

Check
Identify self-hosted media and file-handling services that bundle FFmpeg, check their FFmpeg version, and determine whether they automatically process or generate thumbnails from user-supplied video files.
Affected
Applications using FFmpeg before 8.1.2 with the MagicYUV decoder enabled (CVE-2026-8461), including media servers like Jellyfin, Emby, Kodi, Nextcloud, PhotoPrism, and OBS Studio that ingest untrusted video files.
Fix
Update to FFmpeg 8.1.2 or later, or update the bundled application that ships it. Where patching lags, disable the MagicYUV decoder or block untrusted AVI, MKV, and MOV uploads until fixed.