FFmpeg 'PixelSmash' Flaw Enables RCE on Jellyfin, DoS on Major Media Apps | TekBrief
TekBrief
All Stories AI Crypto News & Media Security StartUps Tech
TekBrief
Security

FFmpeg 'PixelSmash' Flaw Enables RCE on Jellyfin, DoS on Major Media Apps

FFmpeg 'PixelSmash' Flaw Enables RCE on Jellyfin, DoS on Major Media Apps

Source: https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/

Executive Briefing

  • Reveals CVE-2026-8461, a high-severity (8.8) heap buffer overflow in FFmpeg's MagicYUV video decoder affecting hundreds of applications
  • Enables remote code execution on Jellyfin servers via malicious AVI/MKV/MOV files, with no user interaction required in torrent-based attack scenarios
  • Affects Kodi, OBS Studio, Nextcloud, PhotoPrism, Emby, and potentially Slack, Discord, Telegram, and WhatsApp via server-side video previews
  • Patches released in FFmpeg 8.1.2 and Jellyfin's bundled FFmpeg; Nextcloud declined to fix, citing the flaw as external to their codebase
  • Plex remains unaffected due to a custom FFmpeg build with a minimal decoder allowlist, highlighting the supply-chain risk for other projects
Share: Facebook LinkedIn Email

Sponsored

NFL PRO LINE Men's Patrick Mahomes Red Kansas City Chiefs Team Jersey

NFL PRO LINE Men's Patrick Mahomes Red Kansas City Chiefs Team Jersey

$149.99
Apple 2024 Mac mini Desktop Computer with M4 chip with 10‑core

Apple 2024 Mac mini Desktop Computer with M4 chip with 10‑core

$769.99
Cordless Robotic Pool Vacuum

Cordless Robotic Pool Vacuum

$399.99
Smart Door Lock, Biometric Fingerprint, Keyless Entry

Smart Door Lock, Biometric Fingerprint, Keyless Entry

$79.99

More Stories