Skip to content

Bump ffmpeg to 8.1.2 to fix CVE-2026-8461#1249

Open
MDSALMANSHAMS wants to merge 1 commit into
opencv:4.xfrom
MDSALMANSHAMS:bump-ffmpeg-8.1.2-cve-2026-8461
Open

Bump ffmpeg to 8.1.2 to fix CVE-2026-8461#1249
MDSALMANSHAMS wants to merge 1 commit into
opencv:4.xfrom
MDSALMANSHAMS:bump-ffmpeg-8.1.2-cve-2026-8461

Conversation

@MDSALMANSHAMS

Copy link
Copy Markdown
Contributor

Resolves #1248.

Problem

ffmpeg 8.1.1 is affected by CVE-2026-8461 - an out-of-bounds write in the MagicYUV decoder (libavcodec/magicyuv.c), CWE-787, CVSS 3.1 base score 8.8 (HIGH). It allows denial of service and potentially remote code execution when decoding a crafted MagicYUV stream. It is fixed upstream in ffmpeg 8.1.2.

Change

Bump FFMPEG_VERSION from 8.1.1 to 8.1.2 in all seven build Dockerfiles:

Image Arch
manylinux2014 i686, x86_64, aarch64
manylinux_2_28 x86_64, aarch64
musllinux_1_2 x86_64, aarch64

One line per file, no other changes. 8.1.1 appears nowhere else in the tree, so there are no checksums or pins left to update.

Notes

  • ffmpeg-8.1.2.tar.gz is published on ffmpeg.org, so the existing download URLs in each Dockerfile resolve unchanged with no other edits. 8.1.3 is not released, making 8.1.2 the correct target.
  • 8.1.2 is a patch release in the same 8.1 series as the currently pinned version, so no API or ABI change is expected for the OpenCV video I/O backend.
  • Follows the same pattern as Bump ffmpeg to 8.1.1 in manylinux2014 i686 build #1233, which bumped the i686 image to 8.1.1.

ffmpeg 8.1.1 is affected by CVE-2026-8461, an out-of-bounds write in the
MagicYUV decoder (libavcodec/magicyuv.c, CWE-787, CVSS 8.8). It is fixed
upstream in ffmpeg 8.1.2.

Update FFMPEG_VERSION from 8.1.1 to 8.1.2 in all seven build Dockerfiles
(manylinux2014, manylinux_2_28 and musllinux_1_2).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CVE-2026-8461 in FFMPEG 8.1.1 (needs an update to 8.1.2)

1 participant