PixelSmash: Critical FFmpeg flaw lets attackers execute code via malicious video files

Security researchers have disclosed PixelSmash, a high-severity heap overflow vulnerability in FFmpeg's MagicYUV video decoder that can be triggered by a booby-trapped video file. The flaw, CVE-2026-8461 with a CVSS score of 8.8 (High), was patched in FFmpeg 8.1.2 released June 17, 2026 — but every application that ships FFmpeg without updating is still vulnerable.

What is the vulnerability

The bug lives in the MagicYUV decoder inside FFmpeg's libavcodec library. A mismatch between how the frame allocator and the decoder compute chroma plane heights creates a heap out-of-bounds write condition. Attackers can exploit this by crafting malicious AVI, MKV, or MOV files. The file does not need to play to completion — in some configurations, simply scanning a directory or generating a thumbnail is enough to trigger the flaw.

FFmpeg is the backbone of virtually everything that plays, encodes, or handles video: media servers, streaming apps, image preview tools, desktop file managers, and messaging apps. That ubiquity is exactly what makes PixelSmash significant. A single library vulnerability propagates through every application that ships an unpatched version.

Who is at risk and what attackers can do

The impact depends on the target. On servers running Jellyfin or Nextcloud without ASLR enabled, the flaw allows remote code execution — an attacker who can get a malicious video file into a media library can potentially take over the server entirely. For client applications such as Kodi, Emby, PhotoPrism, and OBS Studio, the most reliable outcome is a crash or denial of service. Desktop thumbnail generators in GNOME, KDE, and XFCE are also affected, meaning a user who simply browses to a folder containing a malicious video file could inadvertently trigger the exploit.

The broader concern is messaging platforms. Researchers noted that Slack, Discord, Telegram, and WhatsApp could be affected when their attachment pipelines pass video files through FFmpeg for thumbnail generation. These apps often process received media automatically in the background — no user action beyond receiving a file is needed.

What to do

Update to FFmpeg 8.1.2 immediately. If you run Jellyfin, Nextcloud, or any other self-hosted media application, check whether the package has been rebuilt against the patched FFmpeg version — a software update to the application alone is not sufficient if it bundles its own FFmpeg build. Media server operators should treat this as an urgent patch, especially any instance exposed to external users or accessible from the public internet. The vulnerability was first reported by BleepingComputer.