CVE-2026-8461 PUBLISHED

Heap out-of-bounds write via odd slice_height in FFmpeg MagicYUV decoder

Assigner: JFROG
Reserved: 13.05.2026 Published: 18.06.2026 Updated: 18.06.2026

An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution.

This vulnerability is associated with the file libavcodec/magicyuv.C.

This issue affects FFmpeg before version 8.1.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 3.1

Product Status

Vendor	FFmpeg
Product	FFmpeg
Versions	Default: unaffected affected from 0 to 8.1.2 (excl.)

References

https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23159

Problem Types

CWE-787 Out-of-bounds write CWE

Impacts

CAPEC-100 Overflow Buffers
CAPEC-123 Buffer Manipulation
CAPEC-586 Object Injection