VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 14, 2005· Updated Jun 16, 2026

CVE-2005-3229

CVE-2005-3229

Description

Multiple interpretation error in unspecified versions of ClamAV Antivirus allows remote attackers to bypass virus detection via a malicious executable in a specially crafted RAR file with malformed central and local headers, which can still be opened by products such as Winrar and PowerZip, even though they are rejected as corrupted by Winzip and BitZipper.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • ClamAV/Clamavinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

Vulnerability mechanics

Root cause

"Interpretation mismatch: ClamAV's RAR parser rejects archives with malformed headers as corrupted, while other archivers accept and extract them, allowing malicious content to bypass virus detection."

Attack vector

An attacker crafts a RAR archive with malformed central and local headers that contain a malicious executable (e.g., the EICAR test file). ClamAV's parser rejects or fails to scan the archive due to the header corruption, reporting it as clean. However, archivers such as Winrar and PowerZip still open and extract the payload, allowing the malicious content to reach the victim's filesystem [ref_id=1].

Affected code

The advisory does not specify the exact functions or files within ClamAV that are at fault. The vulnerability involves ClamAV's RAR parsing logic when processing archives with "malformed central and local headers" [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory does not provide remediation guidance from the vendor. It only documents the detection bypass and notes that ClamAV 0.87/1120 (as of October 2005) failed to detect the EICAR test file inside the specially crafted RAR archives [ref_id=1].

Preconditions

  • inputAttacker must craft a RAR archive with malformed central and local headers that still extract correctly on target archivers (e.g., Winrar, PowerZip).
  • configVictim must use an affected version of ClamAV to scan the archive.
  • inputVictim must extract the archive using a tolerant archiver (e.g., Winrar, PowerZip) for the payload to execute.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.