A high-severity vulnerability tracked as CVE-2026-8461 has been discovered in the MagicYUV decoder used by FFmpeg, exposing a wide range of media applications—including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio—to potential denial-of-service conditions and, in some scenarios, remote code execution. The flaw, rated 8.8 in severity, can be triggered through a specially crafted video file in AVI, MKV, or MOV format and affects any software that relies on FFmpeg’s libavcodec library for media decoding.
Security researchers at JFrog found that the issue, dubbed “PixelSmash,” is a heap out-of-bounds write caused by inconsistent calculations of chroma plane heights during MagicYUV slice processing. This mismatch allows a one-row heap buffer overflow that can be triggered not only during video playback, but also through common background operations such as thumbnail generation or automated media ingestion workflows. Because FFmpeg is widely embedded across media tools and platforms, the attack surface extends far beyond direct video playback.
In practical terms, a malicious file placed into a monitored media library could trigger automatic scanning processes—such as ffprobe metadata extraction in Jellyfin—leading to memory corruption and, in some cases, potential code execution. JFrog demonstrated full remote code execution against a Jellyfin server by hijacking a vulnerable execution path, though successful exploitation typically requires bypassing protections like Address Space Layout Randomization (ASLR) or chaining with another vulnerability. Even without RCE, the bug can reliably be used to crash affected applications.
While some platforms like Plex mitigate risk through tightly controlled FFmpeg builds, the broader ecosystem remains exposed due to FFmpeg’s ubiquity. The issue has been patched in FFmpeg 8.1.2, with vendors including Jellyfin and PhotoPrism rolling out updates or mitigations, while others assess their exposure. Researchers warn that PixelSmash represents a classic supply-chain risk, given how many projects implicitly trust FFmpeg to safely process untrusted media inputs.
