CVE-2026-8461: 
Ffmpeg 脆弱性の分析と軽減

CVE-2026-8461 is an out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically within the MagicYUV decoder (libavcodec/magicyuv.c). It allows remote attackers to cause denial-of-service and, in certain conditions, achieve remote code execution by convincing a user to open a crafted MagicYUV-encoded media file. The vulnerability affects all FFmpeg versions before 8.1.2 and was disclosed on June 18, 2026, with the CVE assigned by JFrog. It carries a CVSS v3.1 base score of 8.8 (High) (GitHub Advisory).

The root cause is an out-of-bounds write (CWE-787) in the MagicYUV video decoder within FFmpeg's libavcodec library. When processing a specially crafted MagicYUV-encoded media file, the decoder writes data beyond the bounds of an allocated buffer, corrupting adjacent memory. The attack vector is network-based with low complexity, requiring no privileges but necessitating user interaction (e.g., opening a malicious media file). A patch was submitted via FFmpeg's code review system (GitHub Advisory, FFmpeg PR).

Successful exploitation can result in denial-of-service through application crash, or in more severe cases, arbitrary code execution with the privileges of the FFmpeg process. An attacker who achieves code execution could access sensitive data, modify files, or use the compromised process as a foothold for lateral movement within the affected environment. All three security dimensions — confidentiality, integrity, and availability — are rated High (GitHub Advisory).

1. Craft malicious media file: Create a specially crafted MagicYUV-encoded video file that triggers the out-of-bounds write in libavcodec/magicyuv.c when decoded by a vulnerable FFmpeg version (before 8.1.2).
2. Deliver the payload: Distribute the malicious file via email attachment, web download, or embedded in a media-sharing platform, targeting users or applications that process video with FFmpeg.
3. Trigger decoding: Convince the target user or automated pipeline to open or process the malicious file with a vulnerable FFmpeg build, initiating the MagicYUV decoding path.
4. Exploit memory corruption: The out-of-bounds write corrupts adjacent heap memory; depending on memory layout, this may cause a crash (DoS) or enable control-flow hijacking for arbitrary code execution with the privileges of the FFmpeg process (GitHub Advisory).

• Process: FFmpeg process crashing unexpectedly or producing segmentation faults when processing MagicYUV-encoded media files.
• Logs: Application or system logs showing FFmpeg crashes (SIGSEGV, SIGABRT) originating from libavcodec/magicyuv.c or related stack frames.
• File System: Unexpected or suspicious MagicYUV-encoded media files (.mkv, .avi, or other containers) received from untrusted sources in media processing directories.
• Network: Unusual inbound delivery of media files from unknown or untrusted external sources to systems running FFmpeg-based processing pipelines.

The primary remediation is to upgrade FFmpeg to version 8.1.2 or later, which contains the fix for this vulnerability (GitHub Advisory, FFmpeg PR). Until patching is feasible, organizations should implement input validation to reject untrusted or unexpected MagicYUV-encoded media files, restrict FFmpeg usage to trusted media sources only, and run FFmpeg processes under least-privilege accounts to limit the blast radius of any successful exploitation.