Read this online at: 
https://blog.clamav.net/2026/07/clamav-153-and-145-security-patch.html

Today, we are publishing the 1.5.3 and 1.4.5 security patch versions.
The release files for the patch versions are available for download on the 
ClamAV downloads<https://www.clamav.net/downloads> page, on the GitHub Release 
page<https://github.com/Cisco-Talos/clamav/releases>, and through Docker Hub 
with both Alpine<https://hub.docker.com/r/clamav/clamav/> and 
Debian<https://hub.docker.com/r/clamav/clamav-debian/> containers. The images 
on Docker Hub may not be immediately available on release day. Continue reading 
to learn what changed in each version.
1.5.3
ClamAV 1.5.3 is a patch release with the following fixes:

  *
CVE-2026-20217<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20217>: 
Fixed a bug in the PESpin unpacker cleanup path that could free pointers into 
the scanned file buffer and crash the scanner.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 
2005. The fix is included in 1.5.3 and 1.4.5.
Thank you to Atuin - Automated Vulnerability Discovery Engine, Tianchu Chen of 
Tencent Xuanwu Lab for identifying this issue.
  *
CVE-2026-20213<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20213>: 
Fixed an integer overflow in PE rebuild size calculations that could be reached 
through a malformed Aspack-packed PE file and lead to a heap buffer overflow 
write.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 
2007. The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for identifying 
this issue.
  *
CVE-2026-20216<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20216>: 
Fixed an InstallShield archive extraction limit bypass that could write far 
more temporary data than intended and exhaust temporary storage.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 
2009. The fix is included in 1.5.3 and 1.4.5.
Thank you to Mizu for identifying this issue.
  *
CVE-2026-20214<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20214>: 
Fixed an FSG unpacker loop underflow that could write past the section array 
while scanning a malformed PE file.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 
2004. The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for identifying 
this issue.
  *
CVE-2026-20243<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20243>: 
Fixed ALZ parser size handling bugs that could cause malformed ALZ archives to 
panic, abort the scanner, or skip expected scan-limit handling.
This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The fix 
is included in 1.5.3 and 1.4.5.
Thank you to Yazdan Soltani for identifying this issue.
  *
CVE-2026-20215<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20215>: 
Fixed a 7z parser substream count overflow that could under-allocate parser 
metadata arrays and write past them while reading a malformed archive.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to 2009. 
The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for identifying 
this issue.
  *
CVE-2026-20244<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20244>: 
Fixed 32-bit DMG parser size checks that could let a short mish stripe table 
pass validation and crash 32-bit scanner builds.
This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2, including 
1.4.0 through 1.4.4 and 1.5.0 through 1.5.2. It does not affect 64-bit builds. 
The fix is included in 1.5.3 and 1.4.5.
Thank you to Stanley John Tobias for identifying this issue.
  *
Hardened clamscan, clamdscan, and clamonacc quarantine actions against 
time-of-check/time-of-use races that could redirect copied, moved, or removed 
files under unsafe quarantine directory configurations.
Thank you to Hiroki Imai from Ricerca Security, Inc. for identifying this issue.
  *
Upgraded the Rust tar dependency to resolve the RUSTSEC-2026-0067 and 
RUSTSEC-2026-0068 advisories, and upgraded the Rust openssl dependency to 
resolve CVE-2026-41676.
  *
Raised the minimum required CMake version to 3.17 to fix Linux builds with 
libcurl v8.21.0 when linking static library dependencies.
  *
Metadata preclass scans now run before the final scan verdict.
  *
ClamOnAcc: Fixed errors when recursively excluded paths are children of an 
included path.
  *
ClamOnAcc: Fixed hash bucket list corruption when two watched paths collide in 
the same bucket.
These fixes are courtesy of sharkautarch.

1.4.5
ClamAV 1.4.5 is a patch release with the following fixes:

  *
CVE-2026-20217<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20217>: 
Fixed a bug in the PESpin unpacker cleanup path that could free pointers into 
the scanned file buffer and crash the scanner.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 
2005. The fix is included in 1.5.3 and 1.4.5.
Thank you to Atuin - Automated Vulnerability Discovery Engine, Tianchu Chen of 
Tencent Xuanwu Lab for identifying this issue.
  *
CVE-2026-20213<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20213>: 
Fixed an integer overflow in PE rebuild size calculations that could be reached 
through a malformed Aspack-packed PE file and lead to a heap buffer overflow 
write.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 
2007. The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for identifying 
this issue.
  *
CVE-2026-20216<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20216>: 
Fixed an InstallShield archive extraction limit bypass that could write far 
more temporary data than intended and exhaust temporary storage.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 
2009. The fix is included in 1.5.3 and 1.4.5.
Thank you to Mizu for identifying this issue.
  *
CVE-2026-20214<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20214>: 
Fixed an FSG unpacker loop underflow that could write past the section array 
while scanning a malformed PE file.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 
2004. The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for identifying 
this issue.
  *
CVE-2026-20243<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20243>: 
Fixed ALZ parser size handling bugs that could cause malformed ALZ archives to 
panic, abort the scanner, or skip expected scan-limit handling.
This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The fix 
is included in 1.5.3 and 1.4.5.
Thank you to Yazdan Soltani for identifying this issue.
  *
CVE-2026-20215<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20215>: 
Fixed a 7z parser substream count overflow that could under-allocate parser 
metadata arrays and write past them while reading a malformed archive.
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to 2009. 
The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for identifying 
this issue.
  *
CVE-2026-20244<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20244>: 
Fixed 32-bit DMG parser size checks that could let a short mish stripe table 
pass validation and crash 32-bit scanner builds.
This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2, including 
1.4.0 through 1.4.4 and 1.5.0 through 1.5.2. It does not affect 64-bit builds. 
The fix is included in 1.5.3 and 1.4.5.
Thank you to Stanley John Tobias for identifying this issue.
  *
Hardened clamscan, clamdscan, and clamonacc quarantine actions against 
time-of-check/time-of-use races that could redirect copied, moved, or removed 
files under unsafe quarantine directory configurations.
Thank you to Hiroki Imai from Ricerca Security, Inc. for identifying this issue.
  *
Raised the minimum required CMake version to 3.17 to fix Linux builds with 
libcurl v8.21.0 when linking static library dependencies.
  *
ClamOnAcc: Fixed errors when recursively excluded paths are children of an 
included path.
This fix is courtesy of sharkautarch.



Respectfully,
Val

Valerie Snyder (she/they)
ClamAV Development
Talos
Cisco Systems, Inc.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Reply via email to