VYPR
patchPublished Jul 5, 2026· 1 source

ClamAV Patches Seven Critical Scanner Vulnerabilities Dating Back Two Decades

Cisco Talos has released ClamAV versions 1.5.3 and 1.4.5, addressing seven security flaws, including heap buffer overflows and denial-of-service vulnerabilities, in its malware scanning engine.

Cisco's Talos group has released critical security patches for the widely used open-source antivirus engine, ClamAV. Versions 1.5.3 and 1.4.5 address a total of seven vulnerabilities, some of which have existed in the codebase for up to two decades. These flaws, primarily located in the engine's handling of executable and archive file formats, could allow attackers to crash the scanner, leading to denial-of-service conditions, or potentially execute arbitrary code.

The majority of the patched vulnerabilities reside within the packer and PE (Portable Executable) parsing code, which is responsible for dissecting executable files. CVE-2026-20213, for instance, is an integer overflow in the PE rebuild size calculation that can be triggered by a malformed Aspack-packed file, resulting in a heap buffer overflow write. Similarly, CVE-2026-20214 addresses an FSG unpacker loop underflow that could write past the section array when scanning a crafted PE file. The FSG issue is particularly concerning as it has been present in ClamAV builds since 2004.

Further complicating the landscape, CVE-2026-20217, a bug in the PESpin unpacker cleanup path, could lead to the freeing of pointers into the scanned file buffer, causing the scanner to crash. This vulnerability has been part of the code since 2005. These PE-related flaws highlight the persistent challenges in securely parsing complex and potentially malicious file formats, even in mature software.

Beyond executable files, three other fixes target archive and disk-image handling. CVE-2026-20215 involves a 7z parser substream count overflow that can lead to under-allocation of parser metadata arrays, followed by out-of-bounds writes when processing a crafted archive. CVE-2026-20243 deals with ALZ parser size handling errors that could cause malformed ALZ archives to panic, abort the scanner, or bypass expected scan limits. Additionally, CVE-2026-20216 addresses an InstallShield archive extraction limit bypass, potentially allowing excessive temporary data writes that could exhaust storage.

The final parsing flaw, CVE-2026-20244, is found in the 32-bit DMG parser. A short mish stripe table could pass validation checks and cause the scanner to crash. This vulnerability specifically affects only 32-bit builds of ClamAV and has been present since version 0.98.1, leaving 64-bit builds unaffected.

In addition to these parsing vulnerabilities, the new releases also include hardening against time-of-check/time-of-use (TOCTOU) race conditions in quarantine actions. Reported by Hiroki Imai of Ricerca Security, Inc., these races could allow attackers to redirect files during scan operations under specific, unsafe quarantine directory settings, impacting clamscan, clamdscan, and clamonacc.

Version 1.5.3 brings further enhancements, including an upgrade to the Rust tar dependency to address two RUSTSEC advisories and a move past CVE-2026-41676 in the Rust openssl dependency. It also implements pre-scan metadata checks before the final verdict and fixes a hash bucket list corruption issue in ClamOnAcc. Both releases mandate a minimum CMake version of 3.17 to resolve build issues with static dependencies against libcurl v8.21.0.

These patches are crucial for organizations that rely on ClamAV for malware scanning in mail gateways, file upload checks, and endpoint security solutions. The long-standing nature of some of these vulnerabilities underscores the importance of continuous security auditing and timely patching, even for well-established open-source projects.

Synthesized by Vypr AI