A rounding error in FFmpeg’s MagicYUV decoder allows arbitrary code execution through stack overflow when merely scanning video files, but affects a vulnerability patched in version 8.1.2.
CVE-2026-8461 in the FFmpeg MagicYUV decoder enables Denial-of-Service and Remote Code Execution through crafted media files in hundreds of applications; patching to version 8.1.2 is required.
An AI agent identified 21 zero-days in FFmpeg, while Chrome 149 sets a record with 429 patched vulnerabilities — a sign of growing attack surface discovery through automated analysis.