CVE-2020-37167 — Code Injection in Clamav

CWE-94 — Code Injection7 documents5 sources

Severity

8.6HIGHNVD

EPSS

0.0%

top 99.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Clamav

Timeline

PublishedFeb 12

Latest updateFeb 13

Description

ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

▶debiandebian/clamav

🔴Vulnerability Details

GHSA

GHSA-9wpq-3w4j-985q: ClamAV ClamBC bytecode interpreter contains a vulnerability in function name processing that allows attackers to manipulate bytecode function names↗2026-02-13

▶

OSV

CVE-2020-37167: ClamAV versions prior to 0↗2026-02-12

▶

OSV

CVE-2020-37167: ClamAV ClamBC bytecode interpreter contains a vulnerability in function name processing that allows attackers to manipulate bytecode function names↗2026-02-12

▶

📋Vendor Advisories

Debian

CVE-2020-37167: clamav - ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name pro...↗2020

▶

🕵️Threat Intelligence

Wiz

CVE-2026-20031 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2020-37167 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶