Description
An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution.

This vulnerability is associated with the file libavcodec/magicyuv.C.



This issue affects FFmpeg before version 8.1.2.
Published: 2026-06-18
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write occurs in FFmpeg’s libavcodec MagicYUV decoder when an odd slice_height is provided. The vulnerability, identified as CWE‑787, allows an attacker to corrupt memory, resulting in a denial‑of‑service or, in some circumstances, execution of arbitrary code. The flaw is triggered by malformed media streams and can crash or compromise the host process.

Affected Systems

FFmpeg versions earlier than 8.1.2 are affected. The vulnerability resides in the libavcodec/magicyuv.C file of the FFmpeg codebase.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. EPSS data is not available, so the likelihood of exploitation is unknown, and the issue has not been listed in the CISA KEV catalog. Attackers would need to supply a malicious video stream, making the threat most relevant to systems that ingest or decode media from untrusted sources.

Generated by OpenCVE AI on June 18, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FFmpeg to version 8.1.2 or later and replace any older binaries in playback or streaming services.
  • Reconfigure or disable the MagicYUV decoder in FFmpeg if the application allows it, to eliminate the code path where the flaw exists.
  • Restart affected services after applying the upgrade to ensure the patched library is loaded and verify that no legacy FFmpeg components remain deployed.

Generated by OpenCVE AI on June 18, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Ffmpeg
Ffmpeg ffmpeg
Vendors & Products Ffmpeg
Ffmpeg ffmpeg

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.
Title Heap out-of-bounds write via odd slice_height in FFmpeg MagicYUV decoder
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Ffmpeg Ffmpeg
cve-icon MITRE

Status: PUBLISHED

Assigner: JFROG

Published:

Updated: 2026-06-18T12:26:59.855Z

Reserved: 2026-05-13T09:59:49.355Z

Link: CVE-2026-8461

cve-icon Vulnrichment

Updated: 2026-06-18T12:26:56.161Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:13Z

Weaknesses