CVE-2026-8461 (‘PixelSmash’) is a high-severity memory corruption vulnerability (CWE-125, CWE-787) in FFmpeg’s MagicYUV video decoder, fixed in FFmpeg 8.1.2 released June 17, 2026. A malformed AVI, MKV, or MOV file triggers the vulnerable decoder during thumbnail generation or metadata extraction — operations that run automatically and without user interaction across media servers, cloud storage preview pipelines, file managers, and CI/CD systems. EPSS at the 30th percentile and no CISA KEV listing indicate currently low exploitation activity, but the zero-interaction attack surface in automated media processing pipelines warrants high-priority patching.