CVE-2026-8461 (PixelSmash) is a critical-severity heap-based buffer overflow in FFmpeg’s MagicYUV decoder that allows remote code execution through a malicious video file with no user interaction required beyond file ingestion. Organizations running FFmpeg in automated media pipelines, CI/CD build environments, containerized transcoding services, or content delivery platforms are at risk of complete process compromise. No confirmed patch version is available from primary sources at analysis time; the specific affected version range is unconfirmed pending NVD publication.