logo

FFmpeg MagicYUV Vulnerability Exposes Media Applications

ID: e6688478-31be-50bc-af00-1908dcd868d2

STIX ID: report--e6688478-31be-50bc-af00-1908dcd868d2

Feed Name: securityonline.info

Threat Score
78/100

Date Published: 2026-06-26

Date Updated: 2026-06-26

Author: Do Son

...
...

**CVE-2026-8461 — FFmpeg MagicYUV heap out-of-bounds write (CVSS 8.8):** JFrog researchers disclosed a critical vulnerability in the MagicYUV decoder that can be triggered by a crafted video file to cause heap corruption and hijack execution (affecting FFmpeg < 8.1.2 and downstream apps such as Jellyfin and Nextcloud); a public proof-of-concept exists and administrators are advised to upgrade to 8.1.2 or disable the decoder.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.