CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-20260

CVSS 9.8v3.1pub. 2025-06-18upd. 2025-11-03

A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.

🤖 AI Analysis
How it works

The error results from improper memory buffer allocation during PDF file processing by ClamAV (CWE-122 — heap-based buffer overflow). An attacker can supply a specially crafted PDF file to a system running ClamAV, for example via email or file upload services subject to scanning. Processing such a file causes a buffer overflow, which most likely results in the scanner process terminating abnormally. Although not confirmed, there is a possibility of exploiting this overflow to execute arbitrary code with the privileges of the ClamAV process.

Impact

An attacker can cause permanent disruption of the antivirus scanning service (DoS), and in a potential scenario, execute arbitrary code with the privileges of the ClamAV process on the targeted device.

Mitigation & patch

ClamAV should be updated to version 1.4.3 or 1.0.9 according to information published on the official ClamAV blog (https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html). Users of Debian distributions should apply patches available through the debian-lts-announce channel.

Who is affected

ClamAV — versions indicated in vendor references; patches have been made available in ClamAV versions 1.4.3 and 1.0.9 according to the official project blog

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Clamav

    APP
    Clamav
    < 1.0.91.2.0 – 1.4.3 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDoSMemory
CWE
References

Related vulnerabilities

CVE-2023-20032CRITICAL9.8ten sam produkt

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerabilit...

CVE-2013-7088CRITICAL9.8ten sam produkt

ClamAV before 0.97.7 has buffer overflow in the libclamav component

CVE-2013-7087CRITICAL9.8ten sam produkt

ClamAV before 0.97.7 has WWPack corrupt heap memory

CVE-2007-6745CRITICAL9.8ten sam produkt

clamav 0.91.2 suffers from a floating point exception when using ScanOLE2.

CVE-2007-0899CRITICAL9.8ten sam produkt

There is a possible heap overflow in libclamav/fsg.c before 0.100.0.