← back

CVE-2026-8461

HIGH · 8.8 EPSS 0.4%
hype LIKELY HACK · 72 hack

Patch released, credible RCE signal, active defender concern; not KEV-listed; limited PoC visibility.

What: Out-of-bounds write in FFmpeg's MagicYUV decoder (libavcodec) enabling DoS and remote code execution via malicious media files; affects FFmpeg before 8.1.2 (CVSS 8.8).

Why it matters: FFmpeg 8.1.2 patched June 17; widespread downstream impact (Jellyfin, Kodi, OBS, Nextcloud, Emby). Social chatter highlights zero-click RCE on home servers from 50KB video files. Not KEV-listed yet, but defender triage active (Ubuntu still working patches). Credible threat signal from JFrog/BleepingComputer coverage and sysadmin urgency.

Where it's seen: Tech media coverage, sysadmin forums flagging Ubuntu patch lag, multilingual security blogs emphasizing ecosystem reach. Memory-safety meme posts recycling the disclosure.

RISK: HIGH — Out-of-bounds write enabling RCE in ubiquitous media library; widespread dependent services.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/26/2026, 11:39:31 AM

Description

An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.

CVSS 3.1 breakdown

Exploitability 2.8 · Impact 5.9
vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack vector
Network
Complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Weaknesses