
Hole in widely-used FFmpeg codec could crash media servers or enable RCE
A newly discovered critical vulnerability in the FFmpeg media processing framework bundled in a huge number of open source and commercial applications points, again, to the need for CSOs to have strategies to deal with software supply chain vulnerabilities, which should include demanding a software bill of materials for all products.
Found by researchers at JFrog, the hole (CVE-2026-8461) is a heap out-of-bounds write in the MagicYUV decoder that can crash any application that uses the framework. It runs in everything from desktop video players like Kodi and mpv, to Linux file-manager thumbnail generators, to cloud transcoding pipelines (such as AWS MediaConvert and Cloudflare Stream) and se...