ClamAV Versions 1.4.3 and 1.0.9 Launch with Patch for Remote Code Execution Vulnerability

Today marks a significant milestone for the open-source antivirus community as ClamAV releases versions 1.4.3 and 1.0.9.

These patch releases address critical security vulnerabilities, including a dangerous buffer overflow that could enable remote code execution, along with several other important fixes and architectural improvements.

Moreover, Linux users on ARM64 (aarch64) platforms can now take advantage of RPM and DEB packages for the 1.4 LTS release, broadening ClamAV’s reach in the server and multi-architecture environment.

Critical Security Fixes and Vulnerability Analysis

The highlight of this update is the resolution of CVE-2025-20260, a critical buffer overflow write bug in the PDF file parser. Exploitation of this vulnerability could lead to a denial-of-service (DoS) condition or even allow remote attackers to execute arbitrary code.

Significantly, this flaw was triggered primarily in configurations where the file-size scan limit was set at or above 1024MB and the scan-size limit at or above 1025MB.

The underlying code flaw predated version 1.0.0; however, changes in 1.0.0 that allowed larger allocations based on untrusted input made exploitation feasible. Both the 1.4.3 and 1.0.9 releases now fully patch this vulnerability.

Another notable fix is for CVE-2025-20234, a buffer overflow read vulnerability in the UDF file parser introduced in version 1.2.0.

This issue could disclose sensitive information during file processing or crash the application, resulting in DoS. The patch is available exclusively in version 1.4.3.

Additionally, both versions address a potentially severe use-after-free bug in the Xz decompression module within the bundled lzma-sdk library.

This vulnerability affected all ClamAV releases as far back as 0.99.4 and could be exploited to cause memory corruption or other undefined behavior.

fix backports the lzma-sdk version 18.03 solution with specific enhancements for libclamav.

New Build and Distribution Additions

Windows users also benefit from a resolved build issue that interfered with installations when third-party dependencies, such as libcrypto, share a name with Windows system files, thereby preventing “DLL hell” scenarios.

A noteworthy enhancement for Linux users is the expanded packaging support: ClamAV 1.4 now offers official RPM and DEB installer packages for aarch64 (ARM64) platforms.

This move aligns with the growing importance of ARM-based servers and applications in production environments, ensuring broader compatibility and easier deployment in diverse infrastructures.

Availability and Next Steps

The release files for ClamAV 1.4.3 and 1.0.9 are available for download on the official ClamAV downloads page, the GitHub Release page, and through Docker Hub. However, Docker images may experience a slight delay in availability on the release day.

All users are strongly encouraged to update to these new versions to mitigate exposure to the critical vulnerabilities mentioned.

Special thanks go to Greg Walkup of Sandia National Labs, volticks (aka @movx64), in collaboration with Trend Micro Zero Day Initiative, and OSS-Fuzz for their invaluable contributions in identifying and reporting these issues.

With this release, ClamAV continues to reinforce its reputation as a robust, community-driven antivirus platform, committed to security, compatibility, and the evolving needs of modern computing environments.

ClamAV’s commitment to rapid vulnerability response and cross-platform compatibility is especially important for enterprise users who manage large, heterogenous environments.

By addressing critical bugs such as buffer overflows and use-after-free errors, ClamAV ensures that security teams can trust the integrity of their scanning operations.

The community’s collaborative approach, welcoming reports from organizations and individuals alike, further strengthens the software’s resilience and reliability. Stay tuned for further updates and continued improvements from the ClamAV team.