Critical PixelSmash vulnerability in FFmpeg's MagicYUV decoder allows code execution via malformed video files
By
Pieter Arntz
Summary
Researchers have disclosed PixelSmash (CVE-2026-8461), a critical vulnerability in FFmpeg's MagicYUV video decoder with a CVSS score of 8.8. By crafting a specially formatted AVI, MKV, or MOV file, attackers can crash or potentially execute code on any system using a vulnerable version of FFmpeg — a widely used open-source multimedia toolkit embedded in millions of systems, media players, and video processing pipelines.
Source
Key quotes
· 3 pulledResearchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg's MagicYUV video decoder with a CVSS score of 8.8.
By crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially run code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.
FFmpeg is an open‑source toolkit for record
You might also wanna read
Heap-Buffer-Overflow Vulnerability Discovered in FFmpeg's EXIF Writer for Image Formats
The article details the discovery of a four-byte heap-buffer-overflow vulnerability in FFmpeg's EXIF writer when processing extra IFD (Image
Critical Redis Vulnerability (CVE-2025-49844) Allows Remote Code Execution with Maximum CVSS Score
Wiz Research has discovered a critical remote code execution vulnerability (CVE-2025-49844, nicknamed #RediShell) in Redis, the widely used
Critical Adobe ColdFusion Vulnerability Exploited in Attacks
Critical Security Vulnerability CVE-2025-66478 in React Server Components Protocol
A critical security vulnerability (CVE-2025-66478) has been discovered in the React Server Components (RSC) protocol with a CVSS score of 10

WAF - WAF Release - 2025-12-01
Technical Analysis of CVE-2025-10035: A CVSS 10.0 Vulnerability in Fortra GoAnywhere MFT
watchTowr Labs analyzes CVE-2025-10035, a critical CVSS 10.0 vulnerability in Fortra's GoAnywhere MFT (managed file transfer) solution. The
labs.watchtowr.com·9mo ago
Comments
Sign in to join the conversation.
No comments yet. Be the first.