A critical vulnerability named PixelSmash has been uncovered in FFmpeg's MagicYUV video decoder, tracked as CVE-2026-8461, with a CVSS score of 8.8. This flaw allows attackers to create malformed video files (AVI, MKV, or MOV) that can crash systems or execute remote code when processed with a vulnerable FFmpeg version. Millions of Linux systems, particularly those using `ffmpegthumbnailer` or applications like Jellyfin and Nextcloud, are at risk.
To mitigate this risk, users should update to FFmpeg version 8.1.2 or later, disable the MagicYUV decoder, and minimize automatic video processing. Regular monitoring for abnormal crashes can also help identify potential exploits.