Pixelsmash Vulnerability in ffmpeg (CVE-2026-8461) - Is Emby vulnerable?

[CHBMB 7]

With the public announcement of pixelsmash (see CVE report here) Could we get some clarity regarding where we stand with Emby and this vulnerability please?

It appears Jellyfin have already fixed it and were notified about t he vulnerability before it was made public, and Plex isn't vulnerable due to their customisation of ffmpeg.

I couldn't find any information regarding where Emby sits with regard to this and would appreciate some clarity.

Thanks

 

 

Edited 16 hours ago by CHBMB
Improve title

[Pejamas 64]

Came here straight after seeing the jellyfin post on reddit expecting to see an update.

[CHBMB 7]

I've sent a PM to the Emby devs as well, but, whilst it's been read by one of them, no reply as of yet.

[CHBMB 7]

Reading here it doesn't sound like Emby got a heads up, and it doesn't sound like a remote code execution can happen on Emby either, like it could on Jellyfin, but an Emby server could be crashed.   Less than ideal, but far less worrying than a RCE.  They also tested v4.8.11 rather than the current release.

[cowdoy 0]

Yeah I would love to see some sort of communication from the team about this. Doesn't make me feel great about running this on my system.

[Luke 42612]

Hi, we are currently reviewing this. Thanks.

[xe` 45]

It would helpful if we could get as early a notice as possible if we need to shutdown Emby in the short term.

Please dont wait until you have completed every in depth review, development, compilation and blog post step before giving that heads up.

Let people make early decisions on their own even working with imperfect information.