FFmpeg PixelSmash flaw enables RCE on Jellyfin, DoS in others

A newly disclosed vulnerability in the open-source FFmpeg multimedia framework, tracked as 'PixelSmash,' could allow remote code execution on Jellyfin servers under specific conditions, according to BleepingComputer. The flaw also triggers denial-of-service conditions in a range of other applications that rely on the affected video decoder.

The PixelSmash vulnerability is considered high severity because it targets a widely deployed library. Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio are all cited as affected platforms. While a CVSS score was not provided in the report, active exploitation has not yet been confirmed.

Technical specifics of the exploit mechanism remain undisclosed, but the flaw resides in FFmpeg's video decoding routines. Attackers would likely craft malicious media files to trigger memory corruption, leading to code execution on Jellyfin servers or a crash in other applications. Indicators of compromise are not yet publicly documented.

FFmpeg developers have released a patch to address the PixelSmash flaw. Administrators of Jellyfin and other affected software are urged to update to the latest FFmpeg version. No workaround has been detailed, making patching the primary mitigation strategy.

Attribution for the discovery has not been disclosed. The broad impact across multiple open-source media projects highlights the systemic risk of flaws in foundational libraries like FFmpeg.