惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
小众软件
小众软件
C
Check Point Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V
Visual Studio Blog
Last Week in AI
Last Week in AI
P
Proofpoint News Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The GitHub Blog
The GitHub Blog
T
Tailwind CSS Blog
Recorded Future
Recorded Future
雷峰网
雷峰网
WordPress大学
WordPress大学
A
Arctic Wolf
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Project Zero
Project Zero
T
Tor Project blog
T
Threat Research - Cisco Blogs
Scott Helme
Scott Helme
Spread Privacy
Spread Privacy
G
Google Developers Blog
Security Latest
Security Latest
MongoDB | Blog
MongoDB | Blog
T
Threatpost
I
InfoQ
T
Tenable Blog
T
The Exploit Database - CXSecurity.com
S
Security Affairs
H
Hackread – Cybersecurity News, Data Breaches, AI and More
人人都是产品经理
人人都是产品经理
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
aimingoo的专栏
aimingoo的专栏
C
CXSECURITY Database RSS Feed - CXSecurity.com
美团技术团队
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
D
Docker
博客园 - 【当耐特】
大猫的无限游戏
大猫的无限游戏
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Vercel News
Vercel News
PCI Perspectives
PCI Perspectives
Microsoft Azure Blog
Microsoft Azure Blog
C
CERT Recently Published Vulnerability Notes
月光博客
月光博客
Cloudbric
Cloudbric
A
About on SuperTechFans
F
Fortinet All Blogs

Malwarebytes

Kali365 phishing kit bypasses MFA and steals Microsoft logins Company bragged phone mics could listen to conversations. They couldn’t. Fake LinkedIn emails abuse Adobe to track victims Fake software on GitHub and SourceForge distribute Deno RAT 700+ education and tech websites hijacked in huge ClickFix malware campaign Scammers pretending to be Microsoft had help from US executives A week in security (May 18 – May 24) Update Chrome now: Critical bugs could let attackers run code Microsoft Defender vulnerabilities are being exploited in the wild TikTok, YouTube, and Roblox face scrutiny, but age gates won’t fix child safety Catch spyware in the act with Windows Webcam Monitoring Researchers left AI agents alone in a virtual town and watched it all unravel Fake malware-signing service Fox Tempest dismantled by Microsoft Firefox 151 packs big privacy upgrades into a small update Biometrics, diagnoses, and bank details exposed in major healthcare breach Facebook scam promises cheap Aldi meat boxes, steals payment info instead YouTube wants your face to fight deepfakes Microsoft is changing Edge’s plaintext password behavior A week in security (May 11 – May 17) AI is distorting the Holocaust (Lock and Code S07E10) Attackers replaced JDownloader installer downloads with malware Meta’s confusing new approach to chat privacy Why Malwarebytes blocks some Yahoo Mail redirects Deepfake sextortion forces schools to remove student photos from websites Texas sued Netflix over claims it secretly collected and sold users’ data May 2026 Patch Tuesday: no zero-days but plenty to fix Fake Claude search results lure Mac users into ClickFix attack 1 in 8 employees have sold company logins or know someone who has Stolen Canvas data was “returned” after hacker agreement, Instructure says Yarbo responds to robot flaws that could mow down their owners A week in security (May 4 – May 10) Microsoft says Edge’s plaintext password behavior is “by design” ShinyHunters escalates Canvas attacks with school login defacements Massive AI investment scam network spans 15,500 domains If a fake moustache can fool age checks, is the Online Safety Act working? Google Chrome’s silent 4GB AI download problem Attackers adopt JavaScript runtime Bun to spread NWHStealer Millions of students’ personal data stolen in major education breach Update WhatsApp now: Two new flaws could expose you to malicious files Cyberattacks are raising your prices (Lock and Code S07E09) Thousands of Facebook accounts stolen by phishing emails sent through Google The 2026 World Cup scam economy is already running before the first whistle A week in security (April 27 – May 3) 3 easy-to-miss cybersecurity risks for small businesses Actively exploited cPanel bug exposes millions of websites to takeover More PayPal emails hijacked to deliver tech support scams Hackers stole hundreds of thousands of Roblox accounts: Here’s what to do Researchers built a chatbot that only knows the world before 1931 Microsoft won’t patch PhantomRPC: Feature or bug? Scam-checking just got a lot easier: Malwarebytes is now in Claude Fake CAPTCHA scam turns a quick click into a costly phone bill Chinese engineer stole US military and NASA software for years A week in security (April 20 – April 26) Medical data of 500,000 UK volunteers listed for sale on Alibaba How cyberattacks on companies affect everyone Apple fixes iOS bug that kept deleted notifications, including chat previews Roblox clamps down on chats and age checks as legal pressure builds Malicious trading website drops malware that hands your browser to attackers Researcher claims Claude Desktop installs “spyware” on macOS Fake Google Antigravity downloads are stealing accounts in minutes Real Apple notifications are being used to drive tech support scams Android 17 ends all-or-nothing access to your contacts Big Tech can stop scams. They just don’t (Lock and Code S07E08) Mythos: An AI tool too powerful for public release A week in security (April 13 – April 19) This old-school scam is still working “Your shipment has arrived” email hides remote access software Browser Guard gets even better with Access Control “iCloud storage is full” scam is back, and now it wants your payment details A fake Slack download is giving attackers a hidden desktop on your machine Booking.com breach gives scammers what they need to target guests AI clickbait can turn your notifications into a scam feed Fake YouTube copyright notices can steal your Google login From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere April Patch Tuesday fixes two zero-days, including one under active attack Credit Resources Vault: Why this credit email set off our scam alarms Omnistealer uses the blockchain to steal everything it can ChatGPT under scrutiny as Florida investigates campus shooting Simply opening a PDF could trigger this Adobe Reader zero-day A week in security (April 6 – April 12) Fake Claude site installs malware that gives attackers access to your computer ClickFix finds a new way to infect Macs Scammers pose as Amazon support to steal your account NSFW app leak exposes 70,000 prompts linked to individual users 30,000 private Facebook images allegedly downloaded by Meta employee This fake Windows support website delivers password-stealing malware Your extensions leak clues about you, so we made sure Browser Guard doesn’t Russian hacking group targets home and small office routers to spy on users Timeshare owners warned to watch out for cartel-linked scams Traffic violation scams swap links for QR codes to steal your card details Support platform breach exposes Hims & Hers customer data A week in security (March 30 – April 5) Killer robots are here. Now what? (Lock and Code S07E07) That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords Blocking children from social media is a badly executed good idea Apple expands “DarkSword” patches to iOS 18.7.7 Malwarebytes Privacy VPN receives full third-party audit Wikipedia’s AI agent row likely just the beginning of the bot-ocalypse WhatsApp on Windows users targeted in new campaign, warns Microsoft Why we’re still not doing April Fools’ Day
PixelSmash flaw turns video files into attack tools
Pieter Arntz · 2026-06-25 · via Malwarebytes

A newly discovered vulnerability in FFmpeg’s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.

Researchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg’s MagicYUV video decoder with a CVSS score of 8.8.

By crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially run code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.

What is FFmpeg and is this serious?

FFmpeg is an open‑source toolkit for recording, converting, and streaming audio and video, and its libavcodec library implements hundreds of audio and video decoders.

One of those is MagicYUV, a lossless codec popular in video editing. A newly discovered vulnerability in FFmpeg’s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.

Researchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg’s MagicYUV video decoder with a CVSS score of 8.8.

By crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially execute code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.

What is FFmpeg and is this serious?

FFmpeg is an open‑source toolkit for recording, converting, and streaming audio and video, and its libavcodec library implements hundreds of audio and video decoders.

One of those is MagicYUV, a lossless codec popular in video editing. The researchers found it was enabled by default in upstream FFmpeg and every Linux distribution package they tested up to FFmpeg 9.0.

The impact is more serious than you may think. If you run anything that touches video—from a Linux desktop to a Jellyfin or Nextcloud server, or even an AI model that ingests clips—you probably rely on FFmpeg under the hood.

It’s hard to put an exact number on how many systems are affected, but it helps to know that:

  • Tens of millions of Linux systems rely on ffmpegthumbnailer and system libavcodec for thumbnails, meaning “just browsing a folder” can trigger the bug if a malicious file is present.
  • Jellyfin and Nextcloud, among the most popular self‑hosted media and file platforms globally, each have at least tens of thousands of active internet‑reachable servers. Almost all of those that did not update FFmpeg or disable MagicYUV are vulnerable to denial of service (DoS) and, in some configurations, targeted remote code execution (RCE) attacks.
  • A large fraction of consumer network attached storage (NAS) and smart TV platforms use FFmpeg for previews and thumbnails. These devices are sold in the millions.

The most worrying part of PixelSmash is how little it takes to trigger it. All you need is an application that uses FFmpeg to process untrusted media and has the MagicYUV decoder compiled in.

PixelSmash is a good illustration of a broader problem in the open‑source ecosystem: a bug in a deep dependency that silently propagates everywhere.

How to protect yourself

This vulnerability is not something most home users need to worry about. It needs to be taken care of upstream. Users of affected Linux distributions should keep an eye out for FFmpeg updates or security updates from their distro.

But if you’re responsible for systems that handle video, you should assume you are affected until you prove otherwise. The main mitigation steps are:

  • Update FFmpeg. FFmpeg version 8.1.2, released on June 17, 2026, includes a fix for CVE‑2026‑8461. If your distribution or vendor provides an updated FFmpeg, install it across desktops, servers, and containers.
  • Check if MagicYUV is enabled and disable it or apply patches where possible.
  • Reduce automatic processing of untrusted video. Review which preview providers and thumbnailers are enabled, especially for rarely used formats.

Finally, it is worth watching for abnormal crashes of media players, thumbnailers, or media servers, especially after opening or downloading a new video file. You should treat repeated crashes or missing thumbnails as potential indicators of malicious content until systems are patched.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The impact is more serious than you may think. If you run anything that touches video—from a Linux desktop to a Jellyfin or Nextcloud server, or even an AI model that ingests clips—you probably rely on FFmpeg under the hood.

It’s hard to put an exact number on how many systems are affected, but it helps to know that:

  • Tens of millions of Linux systems rely on ffmpegthumbnailer and system libavcodec for thumbnails, meaning “just browsing a folder” can trigger the bug if a malicious file is present.
  • Jellyfin and Nextcloud, among the most popular self‑hosted media and file platforms globally, each have at least tens of thousands of active internet‑reachable servers. Almost all of those that did not update FFmpeg or disable MagicYUV are vulnerable to denial of service (DoS) and, in some configurations, targeted remote code execution (RCE) attacks.
  • A large fraction of consumer network attached storage (NAS) and smart TV platforms use FFmpeg for previews and thumbnails. These devices are sold in the millions.

The most worrying part of PixelSmash is how little it takes to trigger it. All you need is an application that uses FFmpeg to process untrusted media and has the MagicYUV decoder compiled in.

PixelSmash is a good illustration of a broader problem in the open‑source ecosystem: a bug in a deep dependency that silently propagates everywhere.

How to protect yourself

This vulnerability is not something most home users need to worry about. It needs to be taken care of upstream. Users of affected Linux distributions should keep an eye out for FFmpeg updates or security updates from their distro.

But if you’re responsible for systems that handle video, you should assume you are affected until you prove otherwise. The main mitigation steps are:

  • Update FFmpeg. FFmpeg version 8.1.2, released on June 17, 2026, includes a fix for CVE‑2026‑8461. If your distribution or vendor provides an updated FFmpeg, install it across desktops, servers, and containers.
  • Check if MagicYUV is enabled and disable it or apply patches where possible.
  • Reduce automatic processing of untrusted video. Review which preview providers and thumbnailers are enabled, especially for rarely used formats.

Finally, it is worth watching for abnormal crashes of media players, thumbnailers, or media servers, especially after opening or downloading a new video file. You should treat repeated crashes or missing thumbnails as potential indicators of malicious content until systems are patched.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

About the author

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.