ClamAV 1.4.3 and 1.0.9 Released With Critical Buffer Overflow Vulnerabilities

The ClamAV development team has released critical security patches addressing multiple vulnerabilities, including a severe buffer overflow vulnerability that could enable remote code execution.

The new versions 1.4.3 and 1.0.9 are now available through the official downloads page, GitHub releases, and Docker Hub, with the 1.4 LTS release also gaining Linux ARM64 installer package support for the first time.

The most significant security fix addresses CVE-2025-20260, a buffer overflow write vulnerability in the PDF file parser that poses serious security risks.

This vulnerability could potentially allow attackers to execute remote code or cause denial-of-service conditions on affected systems.

The vulnerability specifically impacts configurations where administrators have set both the maximum file-size scan limit to 1024MB or greater and the maximum scan-size limit to 1025MB or above.

The security issue has deep roots in ClamAV’s codebase, with the underlying vulnerability existing prior to version 1.0.0.

However, changes introduced in version 1.0.0 that enabled larger memory allocations based on untrusted data made it possible for attackers to actually trigger this vulnerability.

Greg Walkup from Sandia National Labs discovered and reported this critical security issue, which affects all currently supported ClamAV versions across both the 1.4.x and 1.0.x release branches.

Additional Security Patches

Version 1.4.3 includes an additional security fix for CVE-2025-20234, a buffer overflow read vulnerability in the Universal Disk Format (UDF) file parser.

This issue, which was introduced in version 1.2.0, could potentially lead to information disclosure through temporary file writes or cause system crashes resulting in denial-of-service conditions.

Security researcher volticks, working with Trend Micro’s Zero Day Initiative, identified and reported this vulnerability.

Both patch releases also address a use-after-free bug in the Xz decompression module within ClamAV’s bundled lzma-sdk library.

This long-standing vulnerability affects ClamAV versions dating back to at least 0.99.4, making it one of the most widespread issues addressed in these updates.

The fix incorporates corrections from lzma-sdk version 18.03, though ClamAV maintains its own modified version with performance optimizations and selective bug fixes rather than implementing full library upgrades.

OSS-Fuzz, Google’s continuous fuzzing service, identified this memory management vulnerability.

Windows users will benefit from a build installation fix that resolves conflicts when Dynamic Link Library (DLL) dependencies share identical names with system-provided libraries, such as libcrypto.

This improvement addresses deployment issues that could prevent proper ClamAV installation on Windows systems.

Release Availability

Organizations using ClamAV should prioritize these updates given the severity of the addressed vulnerabilities, particularly the remote code execution risk associated with CVE-2025-20260.

The security patches are immediately available through multiple distribution channels, including the official ClamAV downloads page and GitHub release repositories.

Docker Hub images may experience slight delays in availability following the release announcement.

This represents the standard distribution approach for ClamAV security updates, ensuring broad accessibility across different deployment environments.

A notable enhancement in this release cycle is the introduction of Linux ARM64 (aarch64) RPM and DEB installer packages specifically for the 1.4 LTS release.

This addition expands ClamAV’s official support to ARM-based server and desktop systems, reflecting the growing adoption of ARM processors in enterprise and cloud computing environments.

The ARM64 packages provide native performance benefits compared to emulated x86 installations on ARM hardware.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.