FFmpeg PixelSmash flaw enables code execution on media servers via crafted videos
FFmpeg has patched PixelSmash, a heap overflow in the MagicYUV video decoder of its libavcodec library that a crafted AVI, MKV, or MOV file can trigger, even during automated thumbnail generation or media scanning. The flaw (CVE-2026-8461) can crash applications or, where address-space randomization is disabled or bypassed, lead to remote code execution; researchers demonstrated full code execution on a Jellyfin media server. Because FFmpeg is embedded almost everywhere video is processed, the bug reaches many self-hosted tools, including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. The fix shipped in FFmpeg 8.1.2, and several affected projects have updated or added mitigations.
- Check
- Identify self-hosted media and file-handling services that bundle FFmpeg, check their FFmpeg version, and determine whether they automatically process or generate thumbnails from user-supplied video files.
- Affected
- Applications using FFmpeg before 8.1.2 with the MagicYUV decoder enabled (CVE-2026-8461), including media servers like Jellyfin, Emby, Kodi, Nextcloud, PhotoPrism, and OBS Studio that ingest untrusted video files.
- Fix
- Update to FFmpeg 8.1.2 or later, or update the bundled application that ships it. Where patching lags, disable the MagicYUV decoder or block untrusted AVI, MKV, and MOV uploads until fixed.