ClamAV: Six File Format Parser Flaws Disclosed Together, Patched in 1.5.3/1.4.5
Key findings • Six ClamAV vulnerabilities disclosed simultaneously on July 3, 2026, affecting file format parsers. • Vulnerabilities primarily lead to Denial-of-Service (DoS) conditions due t…

Key findings
- Six ClamAV vulnerabilities disclosed simultaneously on July 3, 2026, affecting file format parsers.
- Vulnerabilities primarily lead to Denial-of-Service (DoS) conditions due to improper file handling.
- Affected parsers include PE, InstallShield, DMG, ALZ, 7z, and FSG file formats.
- Memory corruption is a potential impact for several of the disclosed flaws.
- ClamAV versions 1.5.3 and 1.4.5 have been released to patch these issues.
On July 3, 2026, a batch of six vulnerabilities was disclosed in ClamAV, the open-source antivirus engine used in numerous security applications. These vulnerabilities, all disclosed simultaneously, primarily affect ClamAV's file format parsers and could lead to denial-of-service (DoS) conditions or memory corruption. The disclosures highlight potential weaknesses in how ClamAV handles various archive and executable file types, posing a risk to systems relying on its scanning capabilities.
The disclosed vulnerabilities stem from improper handling of file formats, including PE (Portable Executable), InstallShield, DMG (Apple Disk Image), ALZ, 7z, and FSG. Specifically, CVE-2026-20213, CVE-2026-20244, CVE-2026-20243, CVE-2026-20215, and CVE-2026-20214 involve improper boundary checks during the scanning of PE, DMG, ALZ, 7z, and FSG files, respectively. These checks could allow malformed files to trigger memory corruption, potentially leading to DoS or other impacts. CVE-2026-20216, affecting the InstallShield file format parser, is due to improper handling of temporary resources during scanning, also leading to a DoS condition.
While the primary impact described for these vulnerabilities is denial-of-service, the potential for memory corruption in several cases (CVE-2026-20213, CVE-2026-20244, CVE-2026-20243, CVE-2026-20215, CVE-2026-20214) suggests that more severe consequences, such as arbitrary code execution, might be possible under certain conditions, although this is not explicitly detailed in the provided information. The related news coverage from Help Net Security mentions that these bugs, along with others, date back two decades, underscoring the long-standing nature of some of these parsing issues.
ClamAV has released patch versions 1.5.3 and 1.4.5 to address these vulnerabilities. Users are strongly advised to update to these patched versions to mitigate the risks associated with these file format parsing flaws. The prompt disclosure and subsequent patching by the ClamAV project, maintained by Cisco's Talos group, aim to protect the wide range of systems that incorporate ClamAV into their security infrastructure, from mail gateways to endpoint protection tools.
This coordinated disclosure of multiple file format parsing vulnerabilities emphasizes the importance of regularly updating security software, especially components like antivirus engines that handle a vast array of potentially malicious file types. The fixes in versions 1.5.3 and 1.4.5 are crucial for maintaining the integrity and security of systems relying on ClamAV for threat detection. Users should ensure their ClamAV installations are updated promptly to benefit from these security enhancements.
CVE-2026-20213 CVE-2026-20216 CVE-2026-20244 CVE-2026-20243 CVE-2026-20215 CVE-2026-20214