Source: clamav Version: 1.4.4+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for clamav. CVE-2026-20213[0]: | A vulnerability in the PE file format parser of ClamAV could allow | an unauthenticated, remote attacker to cause a DoS condition, or | possibly other expanded impacts, resulting from memory corruption on | an affected device. This vulnerability is due to improper | boundary checks for content in PE files during scanning, which may | result in an out-of-bounds buffer write. An attacker could exploit | this vulnerability by submitting a crafted file that contains PE | content to be scanned by ClamAV on an affected device. A successful | exploit could allow the attacker to cause the ClamAV scanning | process to terminate, resulting in a DoS condition on the affected | software. CVE-2026-20214[1]: | A vulnerability in the FSG file format parser of ClamAV could allow | an unauthenticated, remote attacker to cause a DoS condition, or | possibly other expanded impacts, resulting from memory corruption on | an affected device. This vulnerability is due to improper | boundary checks for content in FSG files during scanning, which may | result in an out-of-bounds buffer write. An attacker could exploit | this vulnerability by submitting a crafted file that contains | portable executable content compressed with FSG to be scanned by | ClamAV on an affected device. A successful exploit could allow the | attacker to cause the ClamAV scanning process to terminate, | resulting in a DoS condition on the affected software. CVE-2026-20215[2]: | A vulnerability in the 7z file format parser of ClamAV could allow | an unauthenticated, remote attacker to cause a DoS condition, or | possibly other expanded impacts, resulting from memory corruption on | an affected device. This vulnerability is due to improper | boundary checks for content in 7z files during scanning, which may | result in an out-of-bounds buffer write. An attacker could exploit | this vulnerability by submitting a crafted file that contains | 7z content to be scanned by ClamAV on an affected device. A | successful exploit could allow the attacker to cause the ClamAV | scanning process to terminate, resulting in a DoS condition on the | affected software. CVE-2026-20216[3]: | A vulnerability in the InstallShield file format parser of ClamAV | could allow an unauthenticated, remote attacker to cause a DoS | condition on an affected device. This vulnerability is due to | improper handling of temporary resources during file scanning. An | attacker could exploit this vulnerability by submitting a crafted | InstallShield file to be scanned by ClamAV on an affected device. A | successful exploit could allow the attacker to terminate the ClamAV | scanning process and temporarily consume available system resources, | resulting in a DoS condition on the affected software. CVE-2026-20217[4]: | A vulnerability in the PESpin file format parser of ClamAV could | allow an unauthenticated, remote attacker to cause a DoS condition, | or possibly other expanded impacts, resulting from memory corruption | on an affected device. This vulnerability is due to improper | boundary checks for content in PESpin files during scanning, which | may result in an out-of-bounds buffer write. An attacker could | exploit this vulnerability by submitting a crafted file that | contains PESpin content to be scanned by ClamAV on an affected | device. A successful exploit could allow the attacker to cause the | ClamAV scanning process to terminate, resulting in a DoS condition | on the affected software. CVE-2026-20243[5]: | A vulnerability in the ALZ file format parser of ClamAV could allow | an unauthenticated, remote attacker to cause a DoS condition, or | possibly other expanded impacts, resulting from memory corruption on | an affected device. This vulnerability is due to improper | boundary checks for content in ALZ files during scanning, which may | result in an out-of-bounds buffer write. An attacker could exploit | this vulnerability by submitting a crafted file that contains ALZ | content to be scanned by ClamAV on an affected device. A successful | exploit could allow the attacker to cause the ClamAV scanning | process to terminate, resulting in a DoS condition on the affected | software. CVE-2026-20244[6]: | A vulnerability in the DMG file format parser of ClamAV could allow | an unauthenticated, remote attacker to cause a DoS condition, or | possibly other expanded impacts, resulting from memory corruption on | an affected device. This vulnerability is due to improper | boundary checks for content in DMG files during scanning, which may | result in an integer overflow on 32-bit platforms only. An attacker | could exploit this vulnerability by submitting a crafted file that | contains DMG content to be scanned by ClamAV on an affected device. | A successful exploit could allow the attacker to cause the ClamAV | scanning process to terminate, resulting in a DoS condition on the | affected software. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-20213 https://www.cve.org/CVERecord?id=CVE-2026-20213 [1] https://security-tracker.debian.org/tracker/CVE-2026-20214 https://www.cve.org/CVERecord?id=CVE-2026-20214 [2] https://security-tracker.debian.org/tracker/CVE-2026-20215 https://www.cve.org/CVERecord?id=CVE-2026-20215 [3] https://security-tracker.debian.org/tracker/CVE-2026-20216 https://www.cve.org/CVERecord?id=CVE-2026-20216 [4] https://security-tracker.debian.org/tracker/CVE-2026-20217 https://www.cve.org/CVERecord?id=CVE-2026-20217 [5] https://security-tracker.debian.org/tracker/CVE-2026-20243 https://www.cve.org/CVERecord?id=CVE-2026-20243 [6] https://security-tracker.debian.org/tracker/CVE-2026-20244 https://www.cve.org/CVERecord?id=CVE-2026-20244 [7] https://blog.clamav.net/2026/07/clamav-153-and-145-security-patch.html Regards, Salvatore

