FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances
A vulnerability in the FFmpeg media processing framework allows attackers to crash applications and execute arbitrary code remotely, JFrog warns.
FFmpeg is used in most media-processing applications across every platform, including desktop video players, Linux file managers, self-hosted media servers, and cloud transcoding pipelines.
Tracked as CVE-2026-8461 (CVSS score of 8.8), the security defect is described as a heap out-of-bounds write within FFmpeg’s libavcodec library, in the MagicYUV decoder.
The flaw exists in the MagicYUV decoder’s slice handling and is “caused by an inconsistency between how the frame allocator and the decoder compute chroma plane heights,” JFrog explains.
Dubbed PixelSmash, it can be exploited to crash any application that uses FFmpeg. Code execution can be achieved by targeting FFmpeg’s AVBuffer struct, a refcounted buffer management object allocated immediately after each plane’s pixel data.
To gain code execution, an attacker needs to target FFmpeg’s AVBuffer struct, a refcounted buffer management...
Copyright of this story solely belongs to securityweek.com. To see the full text click HERE
