What is CVE-2025-20260?

CVE-2025-20260 (CVSS score 9.8) is a critical buffer overflow write vulnerability in the PDF file parser. This flaw affects configurations where both the maximum file-size scan limit is set to 1024MB or higher and the maximum scan-size limit is configured to at least 1025MB. The vulnerability could allow an unauthenticated, remote attacker to cause a buffer overflow or execute arbitrary code.

What is CVE-2025-20234?

CVE-2025-20234 (CVSS score 5.3) is a buffer overflow read vulnerability affecting the Universal Disk Format (UDF) file parser. This flaw was introduced in version 1.2.0 and impacts the engine's ability to process files using UDF, a filesystem format commonly found on DVDs and ISO images.

Which organizations are most at risk from CVE-2025-20260?

CVE-2025-20260 particularly affects enterprise environments and high-throughput scanning operations, as these commonly deploy the specific configuration settings (maximum file-size scan limit of 1024MB or higher and maximum scan-size limit of at least 1025MB) that make this vulnerability exploitable.

How can attackers exploit CVE-2025-20234?

By submitting a malformed UDF file, an attacker could exploit CVE-2025-20234 to trigger a denial of service condition, terminating the ClamAV scanning process. The vulnerability may also lead to information disclosure by causing the system to write sensitive data to temporary files.

What other vulnerabilities do these patches address?

Both patch releases resolve a persistent use-after-free vulnerability in the Xz decompression module within ClamAV's bundled lzma-sdk library. This security flaw affects ClamAV versions dating back at least to 0.99.4, representing a long-standing issue that could potentially be exploited to cause crashes or enable code execution.

When was the code issue behind CVE-2025-20260 introduced?

The underlying code issue existed prior to version 1.0.0, but a modification in version 1.0.0 enabled larger memory allocations based on untrusted data, making the vulnerability exploitable. The vulnerability affects all currently supported ClamAV versions.

Do these patches fix any Windows-specific issues?

Yes, the security updates also address a Windows-specific build installation issue that could complicate deployment processes. This fix resolves conflicts that occur when ClamAV DLL dependencies, such as libcrypto, share identical names with components provided by the Windows operating system.

How long has the use-after-free vulnerability existed?

The use-after-free vulnerability in the Xz decompression module affects ClamAV versions dating back at least to 0.99.4, making it a long-standing security issue that has existed for multiple years across many ClamAV releases.

Which ClamAV versions should organizations upgrade to?

Organizations are strongly encouraged to prioritize immediate upgrades to either version 1.4.3 or 1.0.9, depending on their current version track, to address these critical security vulnerabilities.

What is the severity level of these ClamAV vulnerabilities?

The vulnerabilities range from medium to critical severity, with CVE-2025-20260 being the most critical at CVSS score 9.8, CVE-2025-20234 at 5.3, and the use-after-free vulnerability potentially enabling code execution or crashes.

Why is immediate patching critical for ClamAV users?

Immediate patching is critical because CVE-2025-20260 has a CVSS score of 9.8 and could allow remote code execution in enterprise environments, the use-after-free vulnerability has existed for years and affects multiple versions, and ClamAV is often deployed in security-critical roles where compromise could have significant consequences.

Advisory

ClamAV releases updates patching multiple flaws, at least one critical

Q: What security patches did ClamAV release?

The ClamAV development team released security patch versions 1.4.3 and 1.0.9, addressing multiple vulnerabilities in the ClamAV antivirus software, including critical buffer overflow and use-after-free vulnerabilities.

published: June 19, 2025

Take action: If you're running ClamAV antivirus, update to version 1.4.3 or 1.0.9. There's a flaw that can be exploited with a malicious PDF attachment sent to email, allowing for remote code execution. Prioritize this update in enterprise environments where ClamAV is configured with higher scan limits, as these are the most vulnerable configurations.

Learn More

The ClamAV development team has released security patch versions, 1.4.3 and 1.0.9, addressing multiple vulnerabilities in the ClamAV antivirus.

Vulnerabilities summary

CVE-2025-20260 (CVSS score 9.8) a buffer overflow write vulnerability in the PDF file parser. This flaw affects configurations where both the maximum file-size scan limit is set to 1024MB or higher and the maximum scan-size limit is configured to at least 1025MB. The underlying code issue existed prior to version 1.0.0 but a modification in that version enabled larger memory allocations based on untrusted data, making the vulnerability exploitable. The vulnerability could allow an unauthenticated, remote attacker to cause a buffer overflow or execute arbitrary code.
- These configuration settings are commonly deployed in enterprise environments and high-throughput scanning operations. The vulnerability affects all currently supported ClamAV versions
CVE-2025-20234 (CVSS score 5.3) a buffer overflow read vulnerability affecting the Universal Disk Format (UDF) file parser. This flaw was introduced in version 1.2.0 and impacts the engine's ability to process files using UDF, a filesystem format commonly found on DVDs and ISO images. By submitting a malformed UDF file, an attacker could exploit this flaw to trigger a DoS condition, terminating the ClamAV scanning process. The vulnerability may also lead to information disclosure by causing the system to write sensitive data to temporary files.
- Version 1.4.3 patches this flaw
Both patch releases resolve a persistent use-after-free vulnerability in the Xz decompression module within ClamAV's bundled lzma-sdk library. This security flaw affects ClamAV versions dating back at least to 0.99.4, representing a long-standing issue that could potentially be exploited to cause crashes or enable code execution.
The security updates also address a Windows-specific build installation issue that could complicate deployment processes. This fix resolves conflicts that occur when ClamAV DLL dependencies, such as libcrypto, share identical names with components provided by the Windows operating system.

Organizations are strongly encouraged to prioritize immediate upgrades to either version 1.4.3 or 1.0.9

ClamAV releases updates patching multiple flaws, at least one critical

Read More
Multiple security flaws, two critical expose IBM Db2 …
Critical MS-Agent Vulnerability Allows Full System Takeover via …
Elastic reports critical vulnerabilities in Kibana, releases patch
CISA reports active exploitation of Mitel MiCollab flaws
SAP releases January 2025 patch, fixes at least …