A newly disclosed FFmpeg flaw called PixelSmash (CVE-2026-8461) can enable remote code execution on Jellyfin under certain conditions and cause denial-of-service in apps such as Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. JFrog says the bug affects many FFmpeg-based projects through the MagicYUV decoder, with fixes available in FFmpeg 8.1.2 and additional mitigations already applied by some vendors. #PixelSmash #CVE-2026-8461 #FFmpeg #Jellyfin #Nextcloud #PhotoPrism #Kodi #Emby #OBSStudio #MagicYUV
Keypoints
- PixelSmash is a high-severity heap out-of-bounds write in FFmpeg’s MagicYUV decoder.
- The flaw can be triggered with crafted AVI, MKV, or MOV video files.
- It may lead to remote code execution on Jellyfin and some Nextcloud setups if ASLR is bypassed.
- Many media apps and thumbnail generators that use libavcodec are potentially affected.
- FFmpeg 8.1.2 fixes the issue, and some products have added temporary mitigations.