cbcvebase.
CVE-2025-20260
published 2025-06-18

CVE-2025-20260: A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.54%
71.7th percentile
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.

Affected

24 ranges
VendorProductVersion rangeFixed in
ciscoclamav
ciscoclamav
ciscoclamav
ciscoclamav
ciscoclamav
ciscoclamav
ciscoclamav
ciscoclamav
ciscoclamav
ciscoclamav
clamavclamav< 1.0.91.0.9
clamavclamav>= 0 < 1.0.9+dfsg-1~deb11u11.0.9+dfsg-1~deb11u1
clamavclamav>= 0 < 1.0.9+dfsg-1~deb12u11.0.9+dfsg-1~deb12u1
clamavclamav>= 0 < 1.4.3+dfsg-11.4.3+dfsg-1
clamavclamav>= 0 < 1.4.3+dfsg-11.4.3+dfsg-1
clamavclamav>= 0 < 1.4.3+dfsg-0ubuntu0.22.04.11.4.3+dfsg-0ubuntu0.22.04.1
clamavclamav>= 0 < 1.4.3+dfsg-0ubuntu0.24.04.11.4.3+dfsg-0ubuntu0.24.04.1
clamavclamav>= 0 < 1.4.3+dfsg-0ubuntu0.20.04.1+esm11.4.3+dfsg-0ubuntu0.20.04.1+esm1
clamavclamav>= 1.2.0 < 1.4.31.4.3
debianclamav< clamav 1.0.9+dfsg-1~deb12u1 (bookworm)clamav 1.0.9+dfsg-1~deb12u1 (bookworm)
msrcazl3_clamav_1.0.7-2_on_azure_linux_3.0
msrcazl3_clamav_1.0.9-1_on_azure_linux_3.0
msrccbl2_clamav_1.0.7-1_on_cbl_mariner_2.0
msrccbl2_clamav_1.0.9-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition is a crafted PDF file submitted for ClamAV scanning; monitor for ClamAV process termination or crashes during PDF scan operations as a potential exploitation indicator.
  • The vulnerability is in the PDF scanning process specifically due to incorrect memory buffer allocation; detection should focus on anomalous ClamAV process crashes (SIGSEGV/SIGABRT) when processing PDF files.
  • Arbitrary code execution, if achieved, would run with the privileges of the ClamAV scanning process; monitor for unexpected child processes or privilege escalation originating from the ClamAV process after PDF scanning.
  • ·Debian fixed versions are 1.0.9+dfsg-1~deb12u1 (bookworm), 1.0.9+dfsg-1~deb11u1 (bullseye), and 1.4.3+dfsg-1 (forky/sid/trixie); ensure deployed ClamAV meets or exceeds these versions.
  • ·Ubuntu 20.04 LTS requires a separate update (USN-7615-2) in addition to the base USN-7615-1 advisory; verify patching on all Ubuntu LTS versions independently.
  • ·Microsoft Azure Linux (CBL-Mariner) is also affected and requires a separate update; check Azure Linux deployments running ClamAV.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.