CVE-2025-20260
published 2025-06-18CVE-2025-20260: A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.54%
71.7th percentile
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device.
This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| clamav | clamav | < 1.0.9 | 1.0.9 |
| clamav | clamav | >= 0 < 1.0.9+dfsg-1~deb11u1 | 1.0.9+dfsg-1~deb11u1 |
| clamav | clamav | >= 0 < 1.0.9+dfsg-1~deb12u1 | 1.0.9+dfsg-1~deb12u1 |
| clamav | clamav | >= 0 < 1.4.3+dfsg-1 | 1.4.3+dfsg-1 |
| clamav | clamav | >= 0 < 1.4.3+dfsg-1 | 1.4.3+dfsg-1 |
| clamav | clamav | >= 0 < 1.4.3+dfsg-0ubuntu0.22.04.1 | 1.4.3+dfsg-0ubuntu0.22.04.1 |
| clamav | clamav | >= 0 < 1.4.3+dfsg-0ubuntu0.24.04.1 | 1.4.3+dfsg-0ubuntu0.24.04.1 |
| clamav | clamav | >= 0 < 1.4.3+dfsg-0ubuntu0.20.04.1+esm1 | 1.4.3+dfsg-0ubuntu0.20.04.1+esm1 |
| clamav | clamav | >= 1.2.0 < 1.4.3 | 1.4.3 |
| debian | clamav | < clamav 1.0.9+dfsg-1~deb12u1 (bookworm) | clamav 1.0.9+dfsg-1~deb12u1 (bookworm) |
| msrc | azl3_clamav_1.0.7-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_clamav_1.0.9-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_clamav_1.0.7-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_clamav_1.0.9-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition is a crafted PDF file submitted for ClamAV scanning; monitor for ClamAV process termination or crashes during PDF scan operations as a potential exploitation indicator. ↗
- →The vulnerability is in the PDF scanning process specifically due to incorrect memory buffer allocation; detection should focus on anomalous ClamAV process crashes (SIGSEGV/SIGABRT) when processing PDF files. ↗
- →Arbitrary code execution, if achieved, would run with the privileges of the ClamAV scanning process; monitor for unexpected child processes or privilege escalation originating from the ClamAV process after PDF scanning. ↗
- ·Debian fixed versions are 1.0.9+dfsg-1~deb12u1 (bookworm), 1.0.9+dfsg-1~deb11u1 (bullseye), and 1.4.3+dfsg-1 (forky/sid/trixie); ensure deployed ClamAV meets or exceeds these versions. ↗
- ·Ubuntu 20.04 LTS requires a separate update (USN-7615-2) in addition to the base USN-7615-1 advisory; verify patching on all Ubuntu LTS versions independently. ↗
- ·Microsoft Azure Linux (CBL-Mariner) is also affected and requires a separate update; check Azure Linux deployments running ClamAV. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
clamav vulnerabilities
osv·2025-07-07·CVSS 7.5
CVE-2025-20234 [HIGH] clamav vulnerabilities
clamav vulnerabilities
USN-7615-1 fixed several vulnerabilities in ClamAV. This update provides
the corresponding update for Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that ClamAV incorrectly handled scanning UDF files. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2025-20234)
It was discovered that ClamAV incorrectly handled scanning PDF files. A
remote attacker could use this issue to cause ClamAV to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2025-20260)
OSV
clamav vulnerabilities
osv·2025-07-02·CVSS 7.5
CVE-2025-20234 [HIGH] clamav vulnerabilities
clamav vulnerabilities
It was discovered that ClamAV incorrectly handled scanning UDF files. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2025-20234)
It was discovered that ClamAV incorrectly handled scanning PDF files. A
remote attacker could use this issue to cause ClamAV to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2025-20260)
OSV
CVE-2025-20260: A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a
osv·2025-06-18·CVSS 9.8
CVE-2025-20260 [CRITICAL] CVE-2025-20260: A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of
GHSA
GHSA-596c-w2jc-jmmx: A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a
ghsa_unreviewed·2025-06-18
CVE-2025-20260 [CRITICAL] CWE-122 GHSA-596c-w2jc-jmmx: A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device.
This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges o
Ubuntu
ClamAV vulnerabilities
vendor_ubuntu·2025-07-07·CVSS 5.3
CVE-2025-20260 [MEDIUM] ClamAV vulnerabilities
Title: ClamAV vulnerabilities
Summary: Several security issues were fixed in ClamAV.
USN-7615-1 fixed several vulnerabilities in ClamAV. This update provides
the corresponding update for Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that ClamAV incorrectly handled scanning UDF files. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2025-20234)
It was discovered that ClamAV incorrectly handled scanning PDF files. A
remote attacker could use this issue to cause ClamAV to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2025-20260)
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all th
Ubuntu
ClamAV vulnerabilities
vendor_ubuntu·2025-07-02·CVSS 5.3
CVE-2025-20260 [MEDIUM] ClamAV vulnerabilities
Title: ClamAV vulnerabilities
Summary: Several security issues were fixed in ClamAV.
It was discovered that ClamAV incorrectly handled scanning UDF files. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2025-20234)
It was discovered that ClamAV incorrectly handled scanning PDF files. A
remote attacker could use this issue to cause ClamAV to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2025-20260)
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
Microsoft
ClamAV PDF Scanning Buffer Overflow Vulnerability
vendor_msrc·2025-06-10·CVSS 9.8
CVE-2025-20260 [CRITICAL] CWE-122 ClamAV PDF Scanning Buffer Overflow Vulnerability
ClamAV PDF Scanning Buffer Overflow Vulnerability
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
cisco: cisco
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.micro
Debian
CVE-2025-20260: clamav - A vulnerability in the PDF scanning processes of ClamAV could allow an unauthent...
vendor_debian·2025·CVSS 9.8
CVE-2025-20260 [CRITICAL] CVE-2025-20260: clamav - A vulnerability in the PDF scanning processes of ClamAV could allow an unauthent...
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-20031 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-20031 [HIGH] CVE-2026-20031 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20031 :
Clam AntiVirus vulnerability analysis and mitigation
A vulnerability in the HTML Cascading Style Sheets (CSS) module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to improper error handling when splitting UTF-8 strings. An attacker could exploit this vulnerability by submitting a crafted HTML file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the scanning process.
Source : NVD
## 5.3
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Clam AntiVirus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Proba
Wiz
CVE-2020-37167 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2020-37167 [HIGH] CVE-2020-37167 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-37167 :
Clam AntiVirus vulnerability analysis and mitigation
ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.
Source : NVD
## 8.6
Score
Published February 12, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Clam AntiVirus
Linux Ubuntu
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
clamav
Bugzilla
CVE-2025-20260 squidclamav: ClamAV PDF Scanning Buffer Overflow Vulnerability [fedora-42]
bugzilla·2025-06-18·CVSS 9.8
CVE-2025-20260 [CRITICAL] CVE-2025-20260 squidclamav: ClamAV PDF Scanning Buffer Overflow Vulnerability [fedora-42]
CVE-2025-20260 squidclamav: ClamAV PDF Scanning Buffer Overflow Vulnerability [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2373726
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
2025-06-18
Published