CVE-2015-2668

Vulnerability

ClamAV versions before 0.98.7 contain an infinite loop condition in the parser for "xz" archive files. When the scanner processes a specially crafted xz archive, the code path fails to terminate, leading to an indefinite hang. The vulnerability was reported by Dimitri Kirchner and Goulven Guiheux and is assigned CVE-2015-2668 [2].

Exploitation

An attacker can exploit this vulnerability by crafting an xz archive file that triggers the infinite loop. The attack is remote: no authentication or special network position is required beyond delivering the file to a system running a vulnerable ClamAV instance (e.g., via email attachment or file upload). No user interaction beyond scanning the file is needed [1].

Impact

Successful exploitation results in a denial of service (DoS) condition: ClamAV enters an infinite loop, consuming CPU resources and effectively becoming unresponsive until the scan is interrupted or the process is killed. The Ubuntu security notice notes that in some configurations, the crash might also lead to arbitrary code execution, though the primary and confirmed outcome is a DoS [1]. In default installations, the ClamAV AppArmor profile may partially isolate the impact [1].

Mitigation

ClamAV version 0.98.7, released on April 21, 2015, fixes the infinite loop by correcting the xz archive parsing logic. Users should upgrade to 0.98.7 or later as soon as possible. The fix is included in Ubuntu security update USN-2594-1 [1] and in Gentoo GLSA 201512-08 [3]. No workarounds are available if upgrading is not possible [3].