Archive: https://archive.today/Vl8Or
From the post:
>JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world’s most widely deployed media processing framework. The discovered vulnerability, which we’ve named PixelSmash, is CVE-2026-8461 – a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote code execution – all it takes is processing a single malicious media file.
The out-of-bounds write is enough to crash any application that uses FFmpeg – from desktop video players like Kodi and mpv, to Linux file-manager thumbnail generators, to cloud transcoding pipelines and self-hosted media servers. We demonstrated the full exploit by achieving remote code execution on two independent targets: a Jellyfin media server (via automatic library scan) and a Nextcloud instance (via the video preview provider) – in both cases, by simply uploading a crafted 50 KB AVI file.
Archive: https://archive.today/Vl8Or
From the post:
>>JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world’s most widely deployed media processing framework. The discovered vulnerability, which we’ve named PixelSmash, is CVE-2026-8461 – a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote code execution – all it takes is processing a single malicious media file.
The out-of-bounds write is enough to crash any application that uses FFmpeg – from desktop video players like Kodi and mpv, to Linux file-manager thumbnail generators, to cloud transcoding pipelines and self-hosted media servers. We demonstrated the full exploit by achieving remote code execution on two independent targets: a Jellyfin media server (via automatic library scan) and a Nextcloud instance (via the video preview provider) – in both cases, by simply uploading a crafted 50 KB AVI file.
Login or register