JLSEC-2026-653

Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-653.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-653.json
JSON Data
https://api.osv.dev/v1/vulns/JLSEC-2026-653
Upstream
  • CVE-2026-8461
  • EUVD-2026-37878
  • GHSA-qff7-4q6c-m8h6
Published
2026-06-26T20:24:16.337Z
Modified
2026-07-02T05:47:02.459114171Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV...
Details

An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution.

This vulnerability is associated with the file libavcodec/magicyuv.C.

This issue affects FFmpeg before version 8.1.2.

Database specific
{
    "sources": [
        {
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-8461",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8461",
            "database_specific": {
                "status": "Awaiting Analysis"
            },
            "published": "2026-06-18T14:17:36.660Z",
            "imported": "2026-06-26T19:19:53.265Z",
            "id": "CVE-2026-8461",
            "modified": "2026-06-22T20:31:03.510Z"
        },
        {
            "url": "https://api.github.com/advisories/GHSA-qff7-4q6c-m8h6",
            "html_url": "https://github.com/advisories/GHSA-qff7-4q6c-m8h6",
            "id": "GHSA-qff7-4q6c-m8h6",
            "published": "2026-06-18T15:32:03Z",
            "imported": "2026-06-26T19:19:47.885Z",
            "modified": "2026-06-18T15:32:09Z"
        },
        {
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-37878",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-37878",
            "id": "EUVD-2026-37878",
            "published": "2026-06-18T11:29:00Z",
            "imported": "2026-06-26T19:19:09.186Z",
            "modified": "2026-06-19T03:55:41Z"
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / FFMPEG_jll

Package

Name
FFMPEG_jll
Purl
pkg:julia/FFMPEG_jll?uuid=b22a6f82-2f65-5046-a5b2-351ab43fb4e5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.1.2+0

Database specific

source
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-653.json"

Julia / FFMPEG_nogpl_jll

Package

Name
FFMPEG_nogpl_jll
Purl
pkg:julia/FFMPEG_nogpl_jll?uuid=a6892c6b-5768-548c-b024-ff8dabf482c5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.1.2+0

Database specific

source
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-653.json"

Julia / FFplay_jll

Package

Name
FFplay_jll
Purl
pkg:julia/FFplay_jll?uuid=c4dce911-e170-5107-8314-c7bdc6785395

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.1.2+0

Database specific

source
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-653.json"