FFmpeg MagicYUV Heap Write Grants RCE via 50 KB Files in Kodi, Jellyfin, Nextcloud
A single decoder inconsistency in FFmpeg yields reliable RCE across millions of endpoints. The technical root cause, widespread embedding, and zero-interaction delivery vectors create systemic exposure. Immediate patching of all FFmpeg 8.1.1 instances is required.
The flaw stems from mismatched chroma plane height calculations between the frame allocator and slice decoder. JFrog's analysis shows an attacker can position a NUL-terminated command at the precise offset to hijack control flow during refcount handling. Exploitation requires only delivery of an AVI, MKV, or MOV container; no authentication or user interaction beyond file visibility in a watched directory.
FFmpeg appears in thumbnail generators, transcoding pipelines, and media servers across desktop, NAS, and cloud environments. Procurement records and package dependency graphs confirm its presence in GNOME, KDE, Jellyfin, Immich, and multiple smart-TV firmware builds. This creates a uniform attack surface where a single malformed file triggers execution on both client and server endpoints, a pattern repeated in prior libavcodec integer overflows.
Official statements list the issue as fixed in 8.1.2, yet no independent binary diff or regression test coverage has been published. The absence of CVSS environmental scoring for embedded devices leaves NAS and appliance operators without quantified risk data. Expect continued scanning of public media endpoints and torrent seeding of weaponized samples within the next 14 days.
JFrog: Public Jellyfin instances will record >500 exploitation attempts within 10 days of 8.1.2 release.
Sources (3)
- [1]JFrog PixelSmash Disclosure(https://www.securityweek.com/ffmpeg-pixelsmash-flaw-allows-rce-on-video-players-media-servers-nas-appliances/)
- [2]FFmpeg 8.1.2 Changelog(https://ffmpeg.org/download.html)
- [3]NVD CVE-2026-8461 Record(https://nvd.nist.gov/vuln/detail/CVE-2026-8461)