FFmpeg's PixelSmash Vulnerability Enables Remote Code Execution via Media Files

A critical vulnerability in FFmpeg's MagicYUV decoder, tracked as CVE-2026-8461 and named 'PixelSmash', allows attackers to exploit media files for remote code execution (RCE) under specific conditions. The flaw is a heap out-of-bounds write with a CVSS score of 8.8, affecting any application utilizing FFmpeg's libavcodec library. Vulnerable applications include Jellyfin, Kodi, Emby, and OBS Studio, among others. Exploitation can occur through malicious video files in AVI, MKV, or MOV formats, particularly when ASLR is disabled. Researchers demonstrated RCE on Jellyfin servers via a crafted media library scan. The vulnerability was published on June 18, 2026, and poses a significant risk to users of affected media applications. Users are advised to apply patches and monitor for updates.

Key Points: • CVE-2026-8461, known as PixelSmash, is a critical vulnerability in FFmpeg's MagicYUV decoder. • The flaw allows for remote code execution via malicious media files, affecting multiple popular applications. • Exploitation requires specific conditions, including the potential disabling of ASLR.