Critical FFmpeg Vulnerability Enables Remote Code Execution via Malicious Media Files

A critical vulnerability in FFmpeg, tracked as CVE-2026-8461 and named 'PixelSmash', has been disclosed. This flaw, an out-of-bounds write in the MagicYUV decoder, allows for remote code execution (RCE) through specially crafted media files. Affected systems include popular media applications like Jellyfin, Kodi, and OBS Studio, which utilize FFmpeg's libavcodec library. The vulnerability has a CVSS score of 8.8, indicating high severity. Exploitation requires specific conditions, such as disabling Address Space Layout Randomization (ASLR). Researchers from JFrog demonstrated RCE on Jellyfin servers using a crafted video file. The vulnerability affects FFmpeg versions prior to 8.1.2, and users are urged to update to mitigate risks. Attack vectors include opening malicious video files or automated media ingestion workflows. The vulnerability was published on June 18, 2026.

Key Points: • CVE-2026-8461, dubbed 'PixelSmash', allows RCE via malicious media files. • Affected applications include Jellyfin, Kodi, and OBS Studio using FFmpeg's libavcodec. • Exploitation requires ASLR to be disabled or chaining with another vulnerability.