PixelSmash flaw turns video files into attack tools

A newly discovered vulnerability in FFmpeg’s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.

Researchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg’s MagicYUV video decoder with a CVSS score of 8.8.

By crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially run code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.

What is FFmpeg and is this serious?

FFmpeg is an open‑source toolkit for recording, converting, and streaming audio and video, and its libavcodec library implements hundreds of audio and video decoders.