CVE-2026-8461 is a heap out-of-bounds write in FFmpeg’s MagicYUV video decoder, patched in FFmpeg 8.1.2, that enables remote code execution via a maliciously crafted media file delivered to any application that automatically processes video. JFrog demonstrated zero-click RCE against Jellyfin 10.11.9 via its automated library scan pipeline. Because FFmpeg is widely bundled and statically linked, the upstream patch does not automatically remediate downstream applications — each application must independently ship a build against FFmpeg 8.1.2.