Multiple ClamAV Vulnerabilities Enable Denial-of-Service Attacks on Cisco Endpoints
Several high-severity vulnerabilities in Cisco's ClamAV engine allow remote attackers to trigger denial-of-service conditions by crashing the antivirus scanning process on affected endpoints.

Cisco has issued a security advisory detailing multiple high-severity vulnerabilities within its ClamAV engine, which could allow remote attackers to cause a denial-of-service (DoS) by crashing the antivirus scanning process. These flaws affect Cisco Secure Endpoint Connector deployments across Windows, Linux, and macOS.
The vulnerabilities stem from improper memory handling, boundary checks, and resource management within various ClamAV file format parsers. These include, but are not limited to, PE, FSG, 7z, InstallShield, PESpin, ALZ, and DMG. An unauthenticated attacker could craft malformed files in these formats and deliver them to an endpoint via common vectors such as email, web downloads, or shared network drives.
When the ClamAV engine attempts to scan these malicious files, specific bugs within the parsers can be triggered. These bugs, such as out-of-bounds writes, memory overreads, and integer overflows on 32-bit platforms, can lead to the ClamAV process terminating unexpectedly. This crash not only disrupts the antivirus scanning but can also temporarily consume system resources, resulting in a DoS condition.
The impact of these vulnerabilities varies by platform. On Windows, the ClamAV scanning process often runs with higher privileges, and a crash can directly impact endpoint stability, leading to unresponsiveness that may require a manual reboot. Cisco rates these Windows-specific impacts as High, with a CVSS score of 7.5. On Linux and macOS, the Security Impact Rating is considered Medium, as the DoS primarily disrupts scanning operations rather than destabilizing the entire operating system, although malware detection is delayed or blocked.
Cisco's advisory, cisco-sa-clamav-88cFYyxR, notes that similar ClamAV parsing vulnerabilities have historically disrupted scanning operations and caused scans to fail. While these specific flaws are described as leading to DoS, the advisory implicitly warns that past vulnerabilities in security engines processing untrusted input have sometimes led to remote code execution, underscoring the inherent risks.
While Cisco Secure Endpoint Private Cloud is not directly vulnerable, the connectors distributed from it are susceptible to these ClamAV flaws and require updating. There are no practical workarounds for these vulnerabilities, making timely patching the only effective mitigation.
Cisco has released updated Secure Endpoint Connector releases to address these issues. Affected customers are strongly urged to upgrade to the documented fixed versions for Windows, Linux, and Mac as part of their regular content and software update cycles. Security teams should consult the associated Cisco bug IDs and CVE entries for specific build numbers and deployment guidance to ensure a smooth transition and maintain endpoint security.