FFmpeg fixes PixelSmash flaw in widely used video decoder
The PixelSmash vulnerability (CVE-2026-8461) is a heap out-of-bounds write flaw in the MagicYUV decoder of FFmpeg's libavcodec library. It affects video files in AVI, MKV, and MOV formats and can be triggered by opening or scanning such files. This flaw can cause denial-of-service conditions in multiple media applications and potentially enable remote code execution (RCE) on Jellyfin and Nextcloud servers under specific conditions. Exploitation for RCE requires Address Space Layout Randomization (ASLR) to be disabled or chained with another vulnerability to bypass this protection. FFmpeg version 8.1.2 addresses this issue, and some applications have implemented mitigations such as disabling vulnerable decoders or adding file format blocklists.
AI Analysis
Technical Summary
PixelSmash (CVE-2026-8461) is a critical heap buffer overflow vulnerability in the MagicYUV decoder of FFmpeg's libavcodec library. It arises from inconsistent handling of chroma plane heights during slice processing, leading to a one-row heap out-of-bounds write. This flaw can be triggered by processing crafted AVI, MKV, or MOV video files, including during thumbnail generation or automated media ingestion workflows. The vulnerability affects numerous popular media applications that use FFmpeg with MagicYUV enabled, including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. Exploitation can cause denial-of-service or, under conditions where ASLR is disabled or bypassed, remote code execution. JFrog researchers demonstrated full RCE on Jellyfin 10.11.9 via crafted media files triggering ffprobe metadata scans. FFmpeg fixed the vulnerability in version 8.1.2 released on June 17, 2026. Some applications have updated their FFmpeg versions or implemented mitigations such as decoder disablement or file format blocklists. The vulnerability represents a significant supply-chain risk due to FFmpeg's widespread use in media processing.
Potential Impact
The vulnerability can cause denial-of-service conditions in affected applications by triggering heap out-of-bounds writes. Under specific conditions—namely, if ASLR is disabled or bypassed via chaining with another vulnerability—it can lead to remote code execution with the privileges of the media server process (e.g., Jellyfin service user). This enables attackers to execute arbitrary commands remotely by delivering crafted video files. The flaw affects any application using FFmpeg's MagicYUV decoder for video processing, expanding the attack surface significantly. While some applications like Plex mitigate the risk by disabling vulnerable decoders, others remain exposed until updated.
Mitigation Recommendations
A fix is available in FFmpeg version 8.1.2, released on June 17, 2026, which addresses the PixelSmash vulnerability. Users and administrators of affected applications should update to this or later FFmpeg versions. Jellyfin has updated its bundled FFmpeg to mitigate the issue. PhotoPrism is implementing file format blocklists as an additional mitigation. Applications that disable the MagicYUV decoder or use custom FFmpeg builds with minimal decoder allowlists (e.g., Plex) are effectively protected. Nextcloud has declined to address the flaw directly as it exists outside their core product. Until updates are applied, avoid processing untrusted video files in vulnerable applications. Patch status is confirmed by the FFmpeg advisory.
FFmpeg fixes PixelSmash flaw in widely used video decoder
Description
The PixelSmash vulnerability (CVE-2026-8461) is a heap out-of-bounds write flaw in the MagicYUV decoder of FFmpeg's libavcodec library. It affects video files in AVI, MKV, and MOV formats and can be triggered by opening or scanning such files. This flaw can cause denial-of-service conditions in multiple media applications and potentially enable remote code execution (RCE) on Jellyfin and Nextcloud servers under specific conditions. Exploitation for RCE requires Address Space Layout Randomization (ASLR) to be disabled or chained with another vulnerability to bypass this protection. FFmpeg version 8.1.2 addresses this issue, and some applications have implemented mitigations such as disabling vulnerable decoders or adding file format blocklists.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PixelSmash (CVE-2026-8461) is a critical heap buffer overflow vulnerability in the MagicYUV decoder of FFmpeg's libavcodec library. It arises from inconsistent handling of chroma plane heights during slice processing, leading to a one-row heap out-of-bounds write. This flaw can be triggered by processing crafted AVI, MKV, or MOV video files, including during thumbnail generation or automated media ingestion workflows. The vulnerability affects numerous popular media applications that use FFmpeg with MagicYUV enabled, including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. Exploitation can cause denial-of-service or, under conditions where ASLR is disabled or bypassed, remote code execution. JFrog researchers demonstrated full RCE on Jellyfin 10.11.9 via crafted media files triggering ffprobe metadata scans. FFmpeg fixed the vulnerability in version 8.1.2 released on June 17, 2026. Some applications have updated their FFmpeg versions or implemented mitigations such as decoder disablement or file format blocklists. The vulnerability represents a significant supply-chain risk due to FFmpeg's widespread use in media processing.
Potential Impact
The vulnerability can cause denial-of-service conditions in affected applications by triggering heap out-of-bounds writes. Under specific conditions—namely, if ASLR is disabled or bypassed via chaining with another vulnerability—it can lead to remote code execution with the privileges of the media server process (e.g., Jellyfin service user). This enables attackers to execute arbitrary commands remotely by delivering crafted video files. The flaw affects any application using FFmpeg's MagicYUV decoder for video processing, expanding the attack surface significantly. While some applications like Plex mitigate the risk by disabling vulnerable decoders, others remain exposed until updated.
Mitigation Recommendations
A fix is available in FFmpeg version 8.1.2, released on June 17, 2026, which addresses the PixelSmash vulnerability. Users and administrators of affected applications should update to this or later FFmpeg versions. Jellyfin has updated its bundled FFmpeg to mitigate the issue. PhotoPrism is implementing file format blocklists as an additional mitigation. Applications that disable the MagicYUV decoder or use custom FFmpeg builds with minimal decoder allowlists (e.g., Plex) are effectively protected. Nextcloud has declined to address the flaw directly as it exists outside their core product. Until updates are applied, avoid processing untrusted video files in vulnerable applications. Patch status is confirmed by the FFmpeg advisory.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/","fetched":true,"fetchedAt":"2026-06-22T21:09:14.036Z","wordCount":985}
Threat ID: 6a39a47aeed863c81e6f6462
Added to database: 06/22/2026, 21:09:14 UTC
Last enriched: 06/22/2026, 21:09:25 UTC
Last updated: 06/22/2026, 23:18:54 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.