FFmpeg patches PixelSmash MagicYUV vulnerability
🛡️ FFmpeg fixed a high-severity heap out-of-bounds flaw dubbed PixelSmash (CVE-2026-8461) in the MagicYUV decoder that can be triggered by crafted AVI, MKV, or MOV files. The bug allows denial-of-service in many media apps and can enable remote code execution in specific setups — for example, Jellyfin and Nextcloud instances — particularly if ASLR is disabled or chained with another vulnerability. FFmpeg 8.1.2 addresses the issue and vendors are updating or applying mitigations.
