Source: clamav
Version: 1.4.4+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for clamav.

CVE-2026-20213[0]:
| A vulnerability in the PE file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in PE files during scanning, which may
| result in an out-of-bounds buffer write. An attacker could exploit
| this vulnerability by submitting a crafted file that contains PE
| content to be scanned by ClamAV on an affected device. A successful
| exploit could allow the attacker to cause the ClamAV scanning
| process to terminate, resulting in a DoS condition on the affected
| software.


CVE-2026-20214[1]:
| A vulnerability in the FSG file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in FSG files during scanning, which may
| result in an out-of-bounds buffer write. An attacker could exploit
| this vulnerability by submitting a crafted file that contains
| portable executable content compressed with FSG to be scanned by
| ClamAV on an affected device. A successful exploit could allow the
| attacker to cause the ClamAV scanning process to terminate,
| resulting in a DoS condition on the affected software.


CVE-2026-20215[2]:
| A vulnerability in the 7z file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in 7z files during scanning, which may
| result in an out-of-bounds buffer write. An attacker could exploit
| this vulnerability by submitting a crafted file that contains
| 7z&nbsp;content to be scanned by ClamAV on an affected device. A
| successful exploit could allow the attacker to cause the ClamAV
| scanning process to terminate, resulting in a DoS condition on the
| affected software.


CVE-2026-20216[3]:
| A vulnerability in the InstallShield file format parser of ClamAV
| could allow an unauthenticated, remote attacker to cause a DoS
| condition on an affected device.    This vulnerability is due to
| improper handling of temporary resources during file scanning. An
| attacker could exploit this vulnerability by submitting a crafted
| InstallShield file to be scanned by ClamAV on an affected device. A
| successful exploit could allow the attacker to terminate the ClamAV
| scanning process and temporarily consume available system resources,
| resulting in a DoS condition on the affected software.


CVE-2026-20217[4]:
| A vulnerability in the PESpin file format parser of ClamAV could
| allow an unauthenticated, remote attacker to cause a DoS condition,
| or possibly other expanded impacts, resulting from memory corruption
| on an affected device.    This vulnerability is due to improper
| boundary checks for content in PESpin files during scanning, which
| may result in an out-of-bounds buffer write. An attacker could
| exploit this vulnerability by submitting a crafted file that
| contains PESpin content to be scanned by ClamAV on an affected
| device. A successful exploit could allow the attacker to cause the
| ClamAV scanning process to terminate, resulting in a DoS condition
| on the affected software.


CVE-2026-20243[5]:
| A vulnerability in the ALZ file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in ALZ files during scanning, which may
| result in an out-of-bounds buffer write. An attacker could exploit
| this vulnerability by submitting a crafted file that contains ALZ
| content to be scanned by ClamAV on an affected device. A successful
| exploit could allow the attacker to cause the ClamAV scanning
| process to terminate, resulting in a DoS condition on the affected
| software.


CVE-2026-20244[6]:
| A vulnerability in the DMG file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in DMG files during scanning, which may
| result in an integer overflow on 32-bit platforms only. An attacker
| could exploit this vulnerability by submitting a crafted file that
| contains DMG content to be scanned by ClamAV on an affected device.
| A successful exploit could allow the attacker to cause the ClamAV
| scanning process to terminate, resulting in a DoS condition on the
| affected software.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-20213
    https://www.cve.org/CVERecord?id=CVE-2026-20213
[1] https://security-tracker.debian.org/tracker/CVE-2026-20214
    https://www.cve.org/CVERecord?id=CVE-2026-20214
[2] https://security-tracker.debian.org/tracker/CVE-2026-20215
    https://www.cve.org/CVERecord?id=CVE-2026-20215
[3] https://security-tracker.debian.org/tracker/CVE-2026-20216
    https://www.cve.org/CVERecord?id=CVE-2026-20216
[4] https://security-tracker.debian.org/tracker/CVE-2026-20217
    https://www.cve.org/CVERecord?id=CVE-2026-20217
[5] https://security-tracker.debian.org/tracker/CVE-2026-20243
    https://www.cve.org/CVERecord?id=CVE-2026-20243
[6] https://security-tracker.debian.org/tracker/CVE-2026-20244
    https://www.cve.org/CVERecord?id=CVE-2026-20244
[7] https://blog.clamav.net/2026/07/clamav-153-and-145-security-patch.html

Regards,
Salvatore

Reply via email to