You are currently viewing ClamAV 1.4.3 and 1.0.9 Released: Addressing Critical RCE Vulnerability

ClamAV 1.4.3 and 1.0.9 Released: Addressing Critical RCE Vulnerability

The ClamAV team has released versions 1.4.3 and 1.0.9, critical security patches that address vulnerabilities that could compromise system security. These releases address a severe buffer overflow vulnerability and other significant issues. Let’s explore the details of these updates and why you should upgrade immediately.

Addressing Severe Security Flaws

These updates’ primary focus is to address CVE-2025-20260, a severe buffer overflow write vulnerability found in the PDF file parser. This vulnerability could cause a denial-of-service (DoS) condition or enable remote code execution (RCE). The issue affects configurations where the maximum file-size scan limit is set to 1024MB or higher and is at least 1025 MB.

While the root cause of the issue predates version 1.0.0, a change introduced in that version amplified the risk by enabling larger memory allocations based on potentially untrusted data. According to the ClamAV team, all currently supported versions are impacted, and the new releases contain a comprehensive fix.

Critical Fixes for Exploitable Bugs

In addition to addressing CVE-2025-20260, version 1.4.3 also resolves CVE-2025-20234, a buffer overflow read vulnerability in the UDF file parser. This vulnerability, introduced in version 1.2.0, could lead to information disclosure or a DoS condition.

Both releases incorporate a fix for a long-standing use-after-free bug in the decompression module of the bundled lzma-sdk library. This bug affected versions as far back as 0.99.4. While the fix is derived from lzma-sdk version 18.03, ClamAV has implemented tailored performance optimizations and selective bug fixes to ensure stability and security.

Tactics, Techniques, and Procedures (TTPs)

The tactics, techniques, and procedures (TTPs) related to these vulnerabilities are described using the MITRE ATT&CK framework:

  • TA0002 – Execution: Exploitation of the vulnerability to execute arbitrary code.
  • TA0040 – Impact: Causing a denial-of-service.
  • T1068 – Exploitation of Vulnerability: Attackers exploit a known vulnerability to cause unintended system behavior.
  • T1498 – Denial of Service: Attackers disrupt legitimate users’ access to services.

Impact & Exploit Potential

Successful exploitation of this vulnerability allows unauthenticated, remote attackers to submit crafted PDF files to ClamAV’s PDF scanner, triggering a heap-based buffer overflow. This may:

  • Crash the scanning process, resulting in a denial of service (DoS) condition.
  • Potentially allow arbitrary code execution with the privileges of the ClamAV process.

No user interaction is required, and exploitation can occur entirely remotely, making this a high-risk threat for any system relying on ClamAV for malware scanning.

Additional Improvements

In addition to the security patches, these releases include the following improvements:

  • Linux aarch64 Support: Linux aarch64 (ARM64) RPM and DEB installer packages are now available for the 1.4 LTS release, expanding compatibility for users on ARM-based architectures.
  • Windows-Specific Fix: A Windows-specific build installation issue related to DLL dependency conflicts has been resolved. This ensures smoother deployment for Windows users.

Mitigation & Recommendations

To protect your systems from potential exploits, it is strongly recommended that you update to ClamAV version 1.4.3 or 1.0.9 as soon as possible. These updates address critical vulnerabilities that could lead to severe disruptions or unauthorized access.

The release files are available for download via the ClamAV downloads page, GitHub Release page, and Docker Hub.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.