Mastodawn

dont panic people. aslr is there to protect you, ffmpeg exploit only works without aslr. aslr is enabled by default on modern systems!

to check on linux:
cat /proc/sys/kernel/randomize_va_space

should be 2 (OK)
#ffmpeg #PixelSmash

Show thread

scy 3d ago

"If you provide a network-based service and explicitly disable standard security measures, people can remotely hack into your system!"

"If you post the location of your spare key online, people from all over the country can come and rob your house!"

#ffmpeg #PixelSmash #ASLR

pixelfed 3d ago

🚨 ‼️ Pixelfed + Loops Admins PSA ⚠️

You need to update ffmpeg to v8.1.2+ ASAP.

We made a guide for Ubuntu ⬇️

https://gist.github.com/dansup/460039bf77284752cbf5ca7d6406f6c4

Please boost for visibility, this also affects other fediverse software, and this guide may help those admins too.

See https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/ for more details about the vulnerability.

#ffmpeg #pixelsmash

How to update ffmpeg to the latest version for Pixelfed and Loops on Ubuntu

How to update ffmpeg to the latest version for Pixelfed and Loops on Ubuntu - update-ffmpeg-to-8.1.2.md

Gist

[email protected]3d ago

Hey, #mastoadmin, you _really_ want to update your system!
#pixelsmash #ffmpeg

https://social.coop/@cwebber/116810673204863384

Christine Lemmer-Webber (@[email protected])

A vulnerability in ffmpeg allows remote code execution via a crafted media file https://www.securityweek.com/ffmpeg-pixelsmash-flaw-allows-rce-on-video-players-media-servers-nas-appliances/ This affects anything that would even try to generate a *thumbnail*, and that includes your file browser, your fedi server, etc etc etc.

social.coop

scy 3d ago

I feel like this is an under-reported limitation to that ffmpeg "PixelSmash" vulnerability: Their proof-of-concept exploit only works with ASLR disabled. Which, on any modern system, really shouldn't be the case.

https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/

#ffmpeg #PixelSmash #ASLR

faker 3d ago

I find it weird calling the recent FFmpeg security vulnerability a RCE [1]. Where is that remote coming from?
Yes sure, some web applications use FFmpeg and passes untrusted files to it. *Those* have a RCE.
Setting the CVSS attack vector to "network" seems overinflating.

By that standard any software that somebody built a webapp around is "network" facing.

And let's not even talk about setting attack complexity to "low" but admitting that it only works with ASLR disabled.

[1] https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/

#FFmpeg #vulnerability #infosec #PixelSmash

PixelSmash - Critical FFmpeg Vulnerability Turns Media Files into Weapons

PixelSmash (CVE-2026-8461) is a high-severity FFmpeg flaw discovered by JFrog that allows remote code execution via a malformed 50 KB media file. Upgrading is urged.

JFrog

The New Oil 5d ago

#FFmpeg fixes #PixelSmash flaw in widely used video decoder

https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/

#cybersecurity

FFmpeg fixes PixelSmash flaw in widely used video decoder

A newly disclosed FFmpeg flaw dubbed 'PixelSmash' could be exploited for remote code execution on Jellyfin servers under certain conditions, and can also trigger a denial-of-service condition in applications like Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio.

BleepingComputer

Rachel Rawlings 5d ago

Time to update #ffmpeg, folks!

https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/

#infosec #CVE-2026-8461 #PixelSmash

FFmpeg fixes PixelSmash flaw in widely used video decoder

BleepingComputer