Hole in widely-used FFmpeg codec could crash media servers or enable RCE (opens in new tab)

A newly discovered critical vulnerability in the FFmpeg media processing framework bundled in a huge number of open source and commercial applications points, again, to the need for CSOs to have strategies to deal with software supply chain vulnerabilities, which should include demanding a software bill of materials for all products. Found by researchers at JFrog, the hole (CVE-2026-8461) is a heap out-of-bounds write in the MagicYUV decoder that can crash any application that uses the framew...