CVE-2026-8461
HIGH · 8.8 EPSS 0.4%Patch released, credible RCE signal, active defender concern; not KEV-listed; limited PoC visibility.
What: Out-of-bounds write in FFmpeg's MagicYUV decoder (libavcodec) enabling DoS and remote code execution via malicious media files; affects FFmpeg before 8.1.2 (CVSS 8.8).
Why it matters: FFmpeg 8.1.2 patched June 17; widespread downstream impact (Jellyfin, Kodi, OBS, Nextcloud, Emby). Social chatter highlights zero-click RCE on home servers from 50KB video files. Not KEV-listed yet, but defender triage active (Ubuntu still working patches). Credible threat signal from JFrog/BleepingComputer coverage and sysadmin urgency.
Where it's seen: Tech media coverage, sysadmin forums flagging Ubuntu patch lag, multilingual security blogs emphasizing ecosystem reach. Memory-safety meme posts recycling the disclosure.
RISK: HIGH — Out-of-bounds write enabling RCE in ubiquitous media library; widespread dependent services.
Description
An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- Required
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High