CVE-2014-9328
Description
ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a "heap out of bounds condition."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ClamAV before 0.98.6 has a heap out-of-bounds condition in upack packer handling that could lead to denial of service or arbitrary code execution.
Vulnerability
In ClamAV versions prior to 0.98.6, a heap out-of-bounds condition exists when processing specially crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior and is fixed in version 0.98.6 [2]. All versions before 0.98.6 are affected.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious upack packer file and delivering it to a system that uses ClamAV to scan files. No authentication is required; remote attackers can send the file via email, downloads, or other means. Processing the malicious file triggers the heap out-of-bounds condition.
Impact
Successful exploitation could result in a crash (denial of service) or potentially allow arbitrary code execution on the affected system. The Ubuntu advisory [1] confirms the possibility of code execution. The CVE description notes an unspecified impact, but the heap out-of-bounds condition is known to be exploitable.
Mitigation
The vulnerability is fixed in ClamAV version 0.98.6, released in January 2015 [2]. Users should upgrade to version 0.98.6 or later. Ubuntu provided updates for 10.04 LTS, 12.04 LTS, 14.04 LTS, and 14.10 [1]. No workarounds are documented.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- osv-coords4 versionspkg:rpm/opensuse/clamav&distro=openSUSE%20Tumbleweedpkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012
< 0.99.2-4.1+ 3 more
- (no CPE)range: < 0.99.2-4.1
- (no CPE)range: < 0.98.6-10.1
- (no CPE)range: < 0.98.6-10.1
- (no CPE)range: < 0.98.6-10.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- blog.clamav.net/2015/01/clamav-0986-has-been-released.htmlnvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2015-January/148950.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2015-January/148958.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-02/msg00014.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-02/msg00020.htmlnvd
- lists.opensuse.org/opensuse-updates/2015-05/msg00024.htmlnvd
- secunia.com/advisories/62536nvd
- secunia.com/advisories/62757nvd
- securitytracker.com/id/1031672nvd
- www.securityfocus.com/bid/72372nvd
- www.ubuntu.com/usn/USN-2488-2nvd
- security.gentoo.org/glsa/201512-08nvd
News mentions
0No linked articles in our index yet.