Critical FFmpeg Vulnerability Lets Attackers Hijack Systems via Malicious Video Files
A critical security vulnerability has been discovered in FFmpeg, the world’s most widely deployed open-source multimedia framework, that allows attackers to hijack systems simply by getting them to process a maliciously crafted video file. The vulnerability, tracked as CVE-2026-8461 with a CVSS severity score of 8.8 out of 10, has already been patched in an emergency release.

The flaw resides in FFmpeg’s MagicYUV decoder, where a heap-based out-of-bounds write can be triggered by a specially crafted video file. What makes this vulnerability particularly dangerous is that victims do not need to actively open or play the malicious file themselves. Most NAS (Network Attached Storage) systems, download managers, and media center software automatically scan newly downloaded files or generate thumbnail previews — any of these background operations can silently trigger the exploit.
According to researchers at JFrog, who uncovered the vulnerability, the impact radius is enormous. The flaw has been confirmed to affect a wide range of popular software that embeds FFmpeg, including the Kodi media center, OBS Studio for streaming and recording, the Jellyfin media server, the mpv media player, and the PhotoPrism photo management platform. In the case of Jellyfin, researchers have already demonstrated that the vulnerability can be exploited for remote code execution — meaning an attacker could potentially take full control of a media server by simply having it index a malicious file.
FFmpeg is deeply embedded in the technology ecosystem. Beyond desktop and server applications, it runs inside security cameras, smart TVs, NAS devices, and countless other embedded systems — many of which rarely receive software updates. This dramatically expands the attack surface and the urgency of patching.
The FFmpeg project has responded swiftly, releasing version 8.1.2 as an emergency fix. Users and developers are strongly advised to upgrade immediately. For those who cannot upgrade right away, a viable mitigation is to disable the MagicYUV decoder at compile time if it is not required, though this is only practical for software developers building FFmpeg from source. For end users, updating to the latest version of any FFmpeg-dependent software is the recommended course of action.