ADVERTISEMENT

Critical FFmpeg flaw discovered: just watching a video can fully compromise your system

Open a sketchy video file in VLC, stream it using Jellyfin or Kodi, or don’t even open it at all – simply storing it can get you compromised when the Linux file manager generates a thumbnail. A critical bug in FFmpeg, a massively popular open-source video processing engine, allows attackers to crash systems with ease and, in the worst cases, run malicious code.

ffmpeg

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Jun 23, 2026 Updated: 23 June 2026 4 min read
Key takeaways:
Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.
torrent
Image from Gettyimages

How does the bug work?

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites
ADVERTISEMENT
Pixelsmash Diagram
Image by JFrog.

Many ways to get hacked

  • Desktop users: can be compromised by opening the malicious file in a video player, or simply browsing to a folder containing it (the file manager’s thumbnail generator triggers the vulnerability).
  • Servers: can be compromised when a user uploads the file to a media server (Jellyfin, Emby, Nextcloud, Immich), chat platform (Slack, Discord, Telegram), or cloud transcoding service (AWS MediaConvert, Cloudflare Stream) – the server processes it automatically
  • Embedded/IoT devices: can be hacked as well. NAS appliances (Synology, QNAP), smart TVs, or media appliances generate video thumbnails or previews.

ADVERTISEMENT