{“lastseen”:”2026-06-24T19:36:50″,”description”:”A newly discovered vulnerability in FFmpeg\u2019s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.\\n\\nResearchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg\u2019s MagicYUV video decoder with a CVSS score of 8.8.\\n\\nBy crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially run code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.\\n\\n## What is FFmpeg and is this serious?\\n\\nFFmpeg is an open\u2011source toolkit for recording, converting, and streaming audio and video, and its libavcodec library implements hundreds of audio and video decoders. \\n\\nOne of those is MagicYUV, a lossless codec popular in video editing. A newly discovered vulnerability in FFmpeg\u2019s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.\\n\\nResearchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg\u2019s MagicYUV video decoder with a CVSS score of 8.8.\\n\\nBy crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially execute code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.\\n\\n## What is FFmpeg and is this serious?\\n\\nFFmpeg is an open\u2011source toolkit for recording, converting, and streaming audio and video, and its libavcodec library implements hundreds of audio and video decoders. \\n\\nOne of those is MagicYUV, a lossless codec popular in video editing. The researchers found it was enabled by default in upstream FFmpeg and every Linux distribution package they tested up to FFmpeg 9.0.\\n\\nThe impact is more serious than you may think. If you run anything that touches video\u2014from a Linux desktop to a Jellyfin or Nextcloud server, or even an AI model that ingests clips\u2014you probably rely on FFmpeg under the hood.\\n\\nIt\u2019s hard to put an exact number on how many systems are affected, but it helps to know that:\\n\\n * Tens of millions of Linux systems rely on `ffmpegthumbnailer` and system `libavcodec` for thumbnails, meaning \u201cjust browsing a folder\u201d can trigger the bug if a malicious file is present.\\n * Jellyfin and Nextcloud, among the most popular self\u2011hosted media and file platforms globally, each have at least tens of thousands of active internet\u2011reachable servers. Almost all of those that did not update FFmpeg or disable MagicYUV are vulnerable to denial of service (DoS) and, in some configurations, targeted remote code execution (RCE) attacks.\\n * A large fraction of consumer network attached storage (NAS) and smart TV platforms use FFmpeg for previews and thumbnails. These devices are sold in the millions.\\n\\n\\n\\nThe most worrying part of PixelSmash is how little it takes to trigger it. All you need is an application that uses FFmpeg to process untrusted media and has the MagicYUV decoder compiled in.\\n\\nPixelSmash is a good illustration of a broader problem in the open\u2011source ecosystem: a bug in a deep dependency that silently propagates everywhere.\\n\\n## How to protect yourself\\n\\nThis vulnerability is not something most home users need to worry about. It needs to be taken care of upstream. Users of affected Linux distributions should keep an eye out for FFmpeg updates or security updates from their distro.\\n\\nBut if you\u2019re responsible for systems that handle video, you should assume you are affected until you prove otherwise. The main mitigation steps are:\\n\\n * **Update FFmpeg.** FFmpeg version 8.1.2, released on June 17, 2026, includes a fix for CVE\u20112026\u20118461. If your distribution or vendor provides an updated FFmpeg, install it across desktops, servers, and containers.\\n * **Check if MagicYUV is enabled** and disable it or apply patches where possible.\\n * **Reduce automatic processing of untrusted video.** Review which preview providers and thumbnailers are enabled, especially for rarely used formats.\\n\\n\\n\\nFinally, it is worth watching for abnormal crashes of media players, thumbnailers, or media servers, especially after opening or downloading a new video file. You should treat repeated crashes or missing thumbnails as potential indicators of malicious content until systems are patched.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.\\n\\nThe impact is more serious than you may think. If you run anything that touches video\u2014from a Linux desktop to a Jellyfin or Nextcloud server, or even an AI model that ingests clips\u2014you probably rely on FFmpeg under the hood.\\n\\nIt\u2019s hard to put an exact number on how many systems are affected, but it helps to know that:\\n\\n * Tens of millions of Linux systems rely on `ffmpegthumbnailer` and system `libavcodec` for thumbnails, meaning \u201cjust browsing a folder\u201d can trigger the bug if a malicious file is present.\\n * Jellyfin and Nextcloud, among the most popular self\u2011hosted media and file platforms globally, each have at least tens of thousands of active internet\u2011reachable servers. Almost all of those that did not update FFmpeg or disable MagicYUV are vulnerable to denial of service (DoS) and, in some configurations, targeted remote code execution (RCE) attacks.\\n * A large fraction of consumer network attached storage (NAS) and smart TV platforms use FFmpeg for previews and thumbnails. These devices are sold in the millions.\\n\\n\\n\\nThe most worrying part of PixelSmash is how little it takes to trigger it. All you need is an application that uses FFmpeg to process untrusted media and has the MagicYUV decoder compiled in.\\n\\nPixelSmash is a good illustration of a broader problem in the open\u2011source ecosystem: a bug in a deep dependency that silently propagates everywhere.\\n\\n## How to protect yourself\\n\\nThis vulnerability is not something most home users need to worry about. It needs to be taken care of upstream. Users of affected Linux distributions should keep an eye out for FFmpeg updates or security updates from their distro.\\n\\nBut if you\u2019re responsible for systems that handle video, you should assume you are affected until you prove otherwise. The main mitigation steps are:\\n\\n * **Update FFmpeg.** FFmpeg version 8.1.2, released on June 17, 2026, includes a fix for CVE\u20112026\u20118461. If your distribution or vendor provides an updated FFmpeg, install it across desktops, servers, and containers.\\n * **Check if MagicYUV is enabled** and disable it or apply patches where possible.\\n * **Reduce automatic processing of untrusted video.** Review which preview providers and thumbnailers are enabled, especially for rarely used formats.\\n\\n\\n\\nFinally, it is worth watching for abnormal crashes of media players, thumbnailers, or media servers, especially after opening or downloading a new video file. You should treat repeated crashes or missing thumbnails as potential indicators of malicious content until systems are patched.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-06-24T17:23:41″,”modified”:”2026-06-24T17:23:41″,”type”:”malwarebytes”,”title”:”PixelSmash flaw turns video files into attack tools”,”source”:””,”references”:””,”id”:”MALWAREBYTES:EC34003352AA88477BAACCE9BF91A066″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2026-8461″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/06\/pixelsmash-flaw-turns-video-files-into-attack-tools”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-24T19:36:50″,”description”:”A newly discovered vulnerability in FFmpeg\u2019s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.\\n\\nResearchers have disclosed PixelSmash, a critical vulnerability…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,41,12,15,115,13,7,11,5],"class_list":["post-65508","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-malwarebytes","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n