vulnerability context

CVE-2026-8461

CVSS 8.8 HIGHEPSS 30%CWE-787

An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.

Published 2026-06-18 · last modified 2026-06-22

details

CISA KEV status: Not in catalog
CVSS v3: 8.8 / HIGH
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 30% percentile (score 0.0039)
CWE: CWE-787

View on NVD → · cve.org

source mentions 2

[securityrss.ai] A critical vulnerability, CVE-2026-8461 ("PixelSmash"), in FFmpeg's MagicYUV decoder allows remote code execution...Bluesky · 2h ago
[The Daily Tech Feed] FFmpeg's MagicYUV decoder flaw (CVE-2026-8461) enables remote code execution via crafted media files. Update...Bluesky · 1d ago

source consensus

Bluesky2×

Want the 3-bullet summary of CVE-2026-8461, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →