FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances
Security WeekArchived Jun 23, 2026✓ Full text saved
Attackers can send crafted media files to execute code in any application that uses FFmpeg’s libavcodec library. The post FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
A vulnerability in the FFmpeg media processing framework allows attackers to crash applications and execute arbitrary code remotely, JFrog warns.
FFmpeg is used in most media-processing applications across every platform, including desktop video players, Linux file managers, self-hosted media servers, and cloud transcoding pipelines.
Tracked as CVE-2026-8461 (CVSS score of 8.8), the security defect is described as a heap out-of-bounds write within FFmpeg’s libavcodec library, in the MagicYUV decoder.
The flaw exists in the MagicYUV decoder’s slice handling and is “caused by an inconsistency between how the frame allocator and the decoder compute chroma plane heights,” JFrog explains.
Dubbed PixelSmash, it can be exploited to crash any application that uses FFmpeg. Code execution can be achieved by targeting FFmpeg’s AVBuffer struct, a refcounted buffer management object allocated immediately after each plane’s pixel data.
To gain code execution, an attacker needs to target FFmpeg’s AVBuffer struct, a refcounted buffer management object allocated immediately after each plane’s pixel data.
According to JFrog, by placing a NUL-terminated shell command at a specific out-of-bounds offset, an attacker can obtain shell execution before the FFmpeg process crashes on subsequent heap corruption.
PixelSmash can be exploited for remote code execution (RCE) via crafted media files delivered to any application that uses FFmpeg’s libavcodec for video decoding.
On desktop, the vulnerability is triggered when the user opens the malicious file in a video player, or when they browse to a folder containing it, if the file manager’s thumbnail generator uses the vulnerable library.
Code execution on a server is achieved when the media file is uploaded to a media server, chat platform, or cloud transcoding service, which automatically processes it.
The bug can also be exploited on NAS appliances, media appliances, and smart TVs that generate video thumbnails or previews.
“No authentication, special privileges, or prior access to the target system is required beyond the ability to deliver a media file – the default attack surface for any media-processing application,” JFrog explains.
The exploit payload can be delivered as a 50 KB AVI, MKV, or MOV file. It can be used in zero-click attacks over torrents if the victim has their torrent client set to download media files directly into a monitored media library folder. As soon as the torrent finishes, the automated library scanning executes the payload.
On the self-hosted cloud storage platform Nextcloud, which uses an independent FFmpeg build, the vulnerability can be triggered via the optional Movie preview provider, which invokes the system FFmpeg binary to generate thumbnails.
“The attacker requires no interaction beyond ensuring the file is visible in a folder listing; the server-side processing handles the rest, making this a near-zero-click vector,” JFrog notes.
The cybersecurity firm confirmed successful exploitation of the bug against Kodi, mpv, ffmpegthumbnailer (used by GNOME, KDE, XFCE), Jellyfin, Emby, Nextcloud, Immich, PhotoPrism, and OBS Studio. It also demonstrated successful RCE against Jellyfin.
FFmpeg version 8.1.2 contains fixes for PixelSmash. Users are advised to update as soon as possible.
Related: Decades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User Data
Related: Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data
Related: New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones
Related: Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
North Korean Hackers Blamed for Mastra NPM Supply Chain Attack
Fortinet Responds to FortiBleed Campaign
More Cybersecurity Firms Disclose Impact From Klue Hack
CryptoBandits Malware Doubles as a Backdoor, Abuses Tor
FortiBleed: 86,000 Fortinet Device Credentials Compromised
Cybersecurity Firms Impacted by Klue Supply Chain Attack
15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown
Majority of Internet-Accessible REDCap Servers Outdated
Latest News
Algerian Man Extradited to US for Running Cybercrime Marketplaces
OpenAI Refocuses Cybersecurity Efforts on Patching Over Discovery
Russian Initial Access Broker Behind FortiBleed Campaign
Canadian Electricity Provider London Hydro Discloses Data Breach
Trump Signs Executive Order Accelerating Post-Quantum Cryptography Migration
Xsolis Data Breach Affects 1.4 Million Individuals
Decades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User Data
Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data
Trending
Webinar: How Modern Breaches Bypass MFA And Evade Detection
June 17, 2026
Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.
Register
Webinar: Modern Exposure Validation In The AI Era
June 24, 2026
AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.
Register
People on the Move
SolarWinds has appointed Justin Henkel as Chief Information Security Officer.
J. Paul Haynes has joined Cinchy as Chief Executive Officer.
Hatem Naguib has become Chief Executive Officer at Sysdig.
More People On The Move
Expert Insights
What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks
Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George)
No Exploits Required
Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley)
After AI Reaches Production: 12 Ways Security Teams Can Take Control
Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb)
Everybody Is Vibe Coding But Nobody Told The Security Team
AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au)
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Flipboard
Reddit
Whatsapp
Email