Read this online at https://blog.clamav.net/2026/03/clamav-152-and-144-security-patch.html
Today, we are publishing the 1.5.2 and 1.4.4 security patch versions. The release files for the patch versions are available for download on the ClamAV downloads<https://www.clamav.net/downloads> page, on the GitHub Release page<https://github.com/Cisco-Talos/clamav/releases>, and through Docker Hub with both Alpine<https://hub.docker.com/r/clamav/clamav/> and Debian<https://hub.docker.com/r/clamav/clamav-debian/> containers. The images on Docker Hub may not be immediately available on release day. Continue reading to learn what changed in each version. 1.5.2 ClamAV 1.5.2 is a patch release with the following fixes: * CVE-2026-20031<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20031>: Fixed an error handling bug in the HTML file parser that may crash the program and cause a denial-of-service (DoS) condition. This issue was introduced in version 1.1.0. The fix is included in 1.5.2 and 1.4.4. * Fixed a possible infinite loop when scanning some JPEG files by upgrading affected ClamAV dependency, a Rust image library. * Unfortunately, this change requires a newer Rust compiler for ClamAV. The minimum Rust version for ClamAV 1.4.3 was 1.85.1. The minimum Rust version for ClamAV 1.4.4 is now 1.87.0. * Fixed a possible crash on Windows when scanning some files while using the LeaveTemporaryFiles and TemporaryDirectory features. * The CVD verification process will now ignore certificate files in the CVD certs directory when the user lacks read permissions. * Freshclam: Fix CLD verification bug with PrivateMirror option. * Upgraded the Rust bytes dependency to a newer version to resolve RUSTSEC-2026-0007 advisory. * Fixed a possible crash caused by invalid pointer alignment on some platforms. This fix is courtesy of Hsuan-Ming Chen at Synology PSIRT. 1.4.4 ClamAV 1.4.4 is a patch release with the following fixes: * CVE-2026-20031<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20031>: Fixed an error handling bug in the HTML file parser that may crash the program and cause a DoS condition. This issue was introduced in version 1.1.0. The fix is included in 1.5.2 and 1.4.4. * Fixed a possible crash when scanning some TIFF files by upgrading the affected ClamAV dependency, a Rust image library. * Unfortunately, this change requires a newer Rust compiler for ClamAV. The minimum Rust version for ClamAV 1.4.3 was 1.85.1. The minimum Rust version for ClamAV 1.4.4 is now 1.87.0. * Upgraded the Rust bytes dependency to a newer version to resolve RUSTSEC-2026-0007 advisory. * Fixed a possible crash caused by invalid pointer alignment on some platforms. This fix is courtesy of Hsuan-Ming Chen at Synology PSIRT. Respectfully, Val Valerie Snyder (she/they) ClamAV Development Talos Cisco Systems, Inc.
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
