A critical vulnerability, tracked as CVE-2026-8461, has been identified in the FFmpeg media processing framework, allowing attackers to remotely crash applications and execute arbitrary code. The flaw exists within the MagicYUV decoder of FFmpeg's libavcodec library and is attributed to improper handling of frame allocation and chroma plane heights.
Dubbed 'PixelSmash', it can be exploited via crafted media files without requiring authentication or special privileges, affecting various platforms including desktop apps, NAS appliances, and smart TVs. To mitigate the risk, users are advised to update to FFmpeg version 8.1.2 or later.