A critical flaw in FFmpeg — the video decoder that half the internet depends on — could let attackers execute remote code just by getting you to open a malicious video file. It’s called PixelSmash, tracked as CVE-2026-8461, and it scored an 8.8 on the severity scale.
The bug is a heap buffer overflow in the MagicYUV decoder’s slice handling. JFrog researchers found it can be triggered through AVI, MKV, or MOV files. Any app using FFmpeg’s libavcodec is potentially vulnerable — that includes Kodi, OBS Studio, PhotoPrism, Nextcloud, Emby, and even thumbnail generators built into GNOME, KDE, and XFCE.
Here’s the scary part: JFrog demonstrated full remote code execution on Jellyfin, the second-most popular self-hosted media server after Plex. An attacker uploads a crafted video to the media library, Jellyfin’s auto-scan triggers ffprobe, and the exploit fires — hijacking a function pointer to run arbitrary commands as the Jellyfin service user.
It gets worse for torrent users. Point your download client at a media library folder, and a malicious file could trigger the exploit automatically with zero interaction.
RCE requires ASLR to be disabled, which limits the attack surface. But JFrog says a separate info-disclosure bug in FFmpeg’s FlashSV decoder could theoretically be chained to bypass ASLR entirely.
FFmpeg 8.1.2 fixes the issue. Jellyfin updated its bundled FFmpeg, and PhotoPrism is adding a format blocklist. Plex users are safe — their custom FFmpeg build uses a minimal decoder allowlist. Everyone else should update now.
