Home » Technology » FFmpeg bug: Saving the wrong video is enough to get hacked

FFmpeg bug: Saving the wrong video is enough to get hacked

A serious security flaw in the widely used open multimedia software FFmpeg could allow attackers to execute malicious code on third-party systems via manipulated video files.

FFmpeg is used in many applications

In some cases, it is enough to save a prepared file to a system without ever opening it. The vulnerability was reported under the identifier CVE-2026-8461 and was given a high risk score of 8.8 out of 10. The developers FFmpegs have already released a security update with version 8.1.2 that closes the gap. Users and administrators are urgently requested to install the update promptly. Alternatively, the affected MagicYUV decoder can be deactivated if it is not needed. The security gap was discovered by researchers at the IT security company JFrog. According to them, processing a single manipulated media file is enough to take complete control of an affected system in the worst case scenario. FFmpeg is one of the world’s most important open source audio and video processing projects and is integrated into countless applications, server services and networked devices, from media players to cloud services to smart TVs and network storage.

User interaction is often not even necessary for a successful attack. Media servers such as Jellyfin or Emby, cloud platforms, Nextcloud installations or Linux file managers can automatically analyze the malicious file to generate preview images or metadata. This process alone can trigger the vulnerability.

Updates urgently needed

The researchers named the vulnerability PixelSmash. The cause is an error in the MagicYUV decoder, which overwrites memory areas outside the intended buffer for certain video data. This allows attackers to specifically manipulate memory contents and ultimately have their own program code executed. In a demonstration attack, the researchers managed to launch a command line on a Jellyfin server and thereby gain complete control of the system. Tests also showed crashes or attack vectors for numerous popular programs, including Kodi, mpv, OBS Studio, Nextcloud, Immich and PhotoPrism. NAS systems, smart TVs and other IoT devices are also considered potentially at risk. What makes matters worse is that attacks often occur almost invisibly. Users typically do not receive a warning message, while evidence of compromise can often only be found in server logs. Experts therefore warn of the wide potential scope of the vulnerability and recommend an immediate update of all affected systems.

Leave a Reply