Skip to main content

FFmpeg EUVDEUVD-2026-37878

| CVE-2026-8461 HIGH
Out-of-bounds Write (CWE-787)
2026-06-18 JFROG GHSA-qff7-4q6c-m8h6
8.8
CVSS 3.1 · Vendor: JFROG
Share

Severity by source

Vendor (JFROG) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-delivered malicious file requires user/pipeline to decode it (UI:R, PR:N); reliable RCE from an OOB write depends on heap state and mitigations, justifying AC:H over AC:L, with full CIA impact on the decoding process.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (JFROG).

CVSS VectorVendor: JFROG

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 18, 2026 - 13:46 EUVD
Analysis Generated
Jun 18, 2026 - 12:32 vuln.today

DescriptionCVE.org

An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution.

This vulnerability is associated with the file libavcodec/magicyuv.C.

This issue affects FFmpeg before version 8.1.2.

AnalysisAI

Out-of-bounds write in FFmpeg's libavcodec MagicYUV decoder (libavcodec/magicyuv.c) affects all FFmpeg versions before 8.1.2, allowing remote attackers to cause denial-of-service and potentially achieve remote code execution when a victim processes a crafted MagicYUV-encoded media file. No public exploit identified at time of analysis, but the broad deployment of FFmpeg across media players, transcoding pipelines, browsers, and server-side processing makes this a high-priority patch. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious MagicYUV media file
Delivery
Deliver via upload, link, or attachment
Exploit
Victim or transcoder feeds file to libavcodec
Execution
MagicYUV decoder writes out of bounds
Persist
Heap corruption crashes process or hijacks control flow
Impact
Execute code as media-handling user

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to decode an attacker-supplied MagicYUV-encoded stream through FFmpeg's libavcodec MagicYUV decoder (libavcodec/magicyuv.c) on a version before 8.1.2; the CVSS UI:R metric reflects that a user or automated pipeline must actually open or process the malicious file. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H scores 8.8 and reflects a network-reachable, low-complexity, unauthenticated attack requiring user interaction (opening or processing a malicious media file), with full CIA impact consistent with potential RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious video file containing a malformed MagicYUV stream and delivers it via a video sharing site, chat attachment, email, or a URL that a media player or server-side transcoder will fetch. When the victim opens the file (or a backend transcoder automatically processes the upload), libavcodec's MagicYUV decoder writes out of bounds while parsing attacker-controlled fields, crashing the process at minimum and potentially executing attacker-controlled code with the privileges of the media-handling process. …
Remediation Upstream fix available (PR https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23159); released patched version 8.1.2 is referenced in the description but should be verified against the official FFmpeg release once tags are published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct comprehensive inventory of all FFmpeg deployments, including embedded instances in applications, streaming services, and video processing pipelines. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Ffmpeg

View all
CVE-2026-58049 HIGH POC
8.8 Jun 28

Out-of-bounds heap write in FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) allows attackers to corrupt m

CVE-2025-25469 MEDIUM POC
6.5 Feb 18

FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/iamf.c. Rated

CVE-2025-25468 MEDIUM POC
6.5 Feb 18

FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c. Rated m

CVE-2025-1594 MEDIUM POC
5.3 Feb 23

A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. Rated medium severity (CVSS 5.3), this

CVE-2024-55069 MEDIUM POC
5.3 May 02

ffmpeg 7.1 is vulnerable to Null Pointer Dereference in function iamf_read_header in /libavformat/iamfdec.c. Rated mediu

CVE-2025-1373 MEDIUM POC
4.8 Feb 17

A vulnerability was found in FFmpeg up to 7.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack comple

CVE-2025-22921 MEDIUM
6.5 Feb 18

FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/

CVE-2025-10256 MEDIUM
5.3 Feb 18

A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a

CVE-2026-40962 MEDIUM
4.9 Apr 16

Integer overflow in FFmpeg's CENC subsample data parsing (libavformat/mov.c) before version 8.1 enables out-of-bounds me

CVE-2025-0518 MEDIUM
4.8 Jan 16

Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable.

CVE-2024-36613 MEDIUM
6.2 Jan 03

FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potent

CVE-2024-35365 HIGH
8.8 Jan 03

FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically

Share

EUVD-2026-37878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy