Critical FFmpeg MagicYUV Flaw Demands SBOM Focus
🔒 A critical heap out-of-bounds write in the MagicYUV decoder of FFmpeg (CVE-2026-8461), dubbed PixelSmash, can crash applications or enable remote code execution. Researchers at JFrog demonstrated full exploits against Jellyfin and Nextcloud by uploading crafted media files; any app using libavcodec is potentially affected. Users and vendors should upgrade to FFmpeg 8.1.2 or disable the MagicYUV decoder if unused.
