Critical FFmpeg Vulnerability: CVE-2026-8461 (PixelSmash)
Security researchers at JFrog have disclosed a high-severity vulnerability in FFmpeg, the open-source media processing framework used across virtually every video application and platform. CVE-2026-8461 is a heap out-of-bounds write in FFmpeg’s MagicYUV decoder, rated CVSS 8.8 High, which can allow a specially crafted media file to trigger remote code execution on a vulnerable system.
Our response
Based on the available technical information published by JFrog and FFmpeg, successful remote code execution has been demonstrated only when Address Space Layout Randomization (ASLR) is disabled, or when an attacker is able to combine this vulnerability with an additional technique that bypasses ASLR. Our Linux-based ELEMENTS appliances have ASLR enabled in the recommended full randomization mode (kernel.randomize_va_space = 2), which provides an important mitigation against this class of memory corruption vulnerabilities. This significantly increases the complexity of successful exploitation.
That said, we do not consider ASLR a substitute for patching. We are currently validating an updated FFmpeg version within ELEMENTS to ensure compatibility with existing transcoding workflows and customer configurations. Once this validation has been completed, the updated FFmpeg package will be included in an upcoming release.
Until then, we recommend following normal best practices by limiting ingestion of untrusted media where possible. We take vulnerabilities of this nature seriously and will provide the FFmpeg update as soon as validation has been completed.