cbcvebase.
CVE-2012-1458
published 2012-03-21

CVE-2012-1458: The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allows remote attackers to bypass malware detection via a crafted reset interval in…

PriorityP335medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
73.74%
99.4th percentile
The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different CHM parser implementations.

Affected

7 ranges
VendorProductVersion rangeFixed in
clamavclamav
clamavclamav>= 0 < 0.97.5+dfsg-10.97.5+dfsg-1
clamavclamav>= 0 < 0.97.5+dfsg-10.97.5+dfsg-1
clamavclamav>= 0 < 0.97.5+dfsg-10.97.5+dfsg-1
clamavclamav>= 0 < 0.97.5+dfsg-10.97.5+dfsg-1
debianclamav< clamav 0.97.5+dfsg-1 (bookworm)clamav 0.97.5+dfsg-1 (bookworm)
sophossophos_anti-virus

Detection & IOCsextracted from sources · hover to see the quote

  • Malware evasion via crafted reset interval in the LZXC header of a CHM file — inspect CHM files for anomalous LZXC reset interval values to detect bypass attempts against AV parsers
  • Attack vector is a specially-crafted CHM file delivered remotely; CHM files containing malware may evade detection in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 — treat CHM files from untrusted sources as high-risk pending parser update
  • ·Vulnerability confirmed in ClamAV 0.96.4; unclear whether it persisted into later versions prior to 0.97.5 — upgrade to 0.97.5 or later to remediate
  • ·Also affects Sophos Anti-Virus 4.61.0 in addition to ClamAV 0.96.4; may be split into separate CVEs if parsers are found to have failed independently
  • ·ClamAV 0.97.5 fix package introduced a regression that could cause scan failures on certain documents — verify regression fix (USN-1482-3) is also applied

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.