A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.
The error results from improper memory buffer allocation during PDF file processing by ClamAV (CWE-122 — heap-based buffer overflow). An attacker can supply a specially crafted PDF file to a system running ClamAV, for example via email or file upload services subject to scanning. Processing such a file causes a buffer overflow, which most likely results in the scanner process terminating abnormally. Although not confirmed, there is a possibility of exploiting this overflow to execute arbitrary code with the privileges of the ClamAV process.
An attacker can cause permanent disruption of the antivirus scanning service (DoS), and in a potential scenario, execute arbitrary code with the privileges of the ClamAV process on the targeted device.
ClamAV should be updated to version 1.4.3 or 1.0.9 according to information published on the official ClamAV blog (https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html). Users of Debian distributions should apply patches available through the debian-lts-announce channel.
ClamAV — versions indicated in vendor references; patches have been made available in ClamAV versions 1.4.3 and 1.0.9 according to the official project blog
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HClamav
APPClamav< 1.0.91.2.0 – 1.4.3 (bez)
Related vulnerabilities
On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerabilit...
ClamAV before 0.97.7 has buffer overflow in the libclamav component
ClamAV before 0.97.7 has WWPack corrupt heap memory
clamav 0.91.2 suffers from a floating point exception when using ScanOLE2.
There is a possible heap overflow in libclamav/fsg.c before 0.100.0.