Multiple high-severity vulnerabilities, including a dangerous buffer overflow capable of remote code execution, have been fixed in critical security updates released by the ClamAV team for versions 1.4.3 and 1.0.9.

These patch releases target several security issues that affect all currently supported versions of the popular open-source antivirus engine, with the most critical vulnerability (CVE-2025-20260) posing significant risks to systems with specific configuration parameters.

Critical Security Vulnerabilities Addressed

The most severe vulnerability patched in both releases is CVE-2025-20260, a buffer overflow write bug located in the PDF file parser module. 

This flaw presents a dual threat, potentially causing denial-of-service (DoS) conditions or, more critically, enabling remote code execution on affected systems. 

The vulnerability specifically targets configurations where the max file-size scan limit is set to 1024MB or greater and the max scan-size scan limit reaches 1025MB or higher.

The remote code execution potential of CVE-2025-20260 stems from a code change implemented in version 1.0.0 that enabled larger memory allocations based on untrusted input data. 

While the underlying flaw existed in pre-1.0.0 versions, this modification created the conditions necessary to trigger the buffer overflow, transforming a dormant vulnerability into an active security threat.

Additionally, version 1.4.3 addresses CVE-2025-20234, a buffer overflow read vulnerability in the Universal Disk Format (UDF) file parser. 

This security flaw, introduced in version 1.2.0, can lead to information disclosure through temporary file writes or system crashes resulting in DoS conditions. 

The vulnerability demonstrates the ongoing challenges in parsing complex file formats securely.

Both releases include fixes for a critical use-after-free vulnerability in the Xz decompression module within the bundled lzma-sdk library. 

This memory management flaw affects ClamAV versions dating back to at least 0.99.4, highlighting the persistent nature of certain security issues in legacy codebases. 

The vulnerability was originally resolved in lzma-sdk version 18.03, but ClamAV maintained its custom implementation with performance optimizations specific to libclamav.

CVEsAffected ProductsImpactExploit PrerequisitesCVSS 3.1 ScoreCVE-2025-20260All ClamAV versions prior to 1.4.3 and 1.0.9Remote Code Execution or Denial-of-Service via buffer overflow write in PDF parser1. max_file_size scan limit ≥1024MB2. max_scan_size scan limit ≥1025MB9.8 (Critical)CVE-2025-20234ClamAV versions 1.2.0 to 1.4.2Information Disclosure Default configuration (no special prerequisites)7.5 (High)

Patch Available

The security patches are immediately available through multiple distribution channels, including the official ClamAV downloads page, GitHub Release repository, and Docker Hub containers. 

Notably, the development team has expanded platform support by introducing Linux aarch64 (ARM64) RPM and DEB installer packages for the 1.4 Long Term Support (LTS) release, addressing the growing deployment of ARM-based server infrastructure.

Windows users benefit from an additional fix addressing DLL dependency conflicts where libraries such as libcrypto share identical names with Windows system components, preventing installation failures and ensuring proper functionality across diverse Windows environments.

Are you from SOC/DFIR Teams! – Interact with malware in the sandbox and find related IOCs. – Request 14-day free trial