Cisco ClamAV Critical Flaws: CVE-2025-20260 (CVSS 9.8) Allows Code Execution

Cisco’s ClamAV, one of the most widely used open-source antivirus engines, has released versions 1.4.3 and 1.0.9 to address two significant security vulnerabilities that could lead to denial-of-service (DoS) and, in extreme cases, remote code execution. The flaws—tracked as CVE-2025-20260 (CVSS 9.8) and CVE-2025-20234 (CVSS 5.3)—pose a risk to organizations that rely on ClamAV for scanning large PDF or UDF-based files.

The first vulnerability, tracked as CVE-2025-20260 and rated CVSS 9.8, stems from how ClamAV handles PDF files when configured with large scan limits. Improper memory allocation during PDF scanning opens the door to a buffer overflow, which can result in:

• Crashing the antivirus engine (DoS)
• Potential remote code execution, depending on system architecture and runtime conditions

“A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow… or execute arbitrary code,” Cisco warns.

The exploit is only triggered under specific configurations, namely:

• max-filesize set to ≥1024MB
• max-scan-size set to ≥1025MB

These settings are typically used in enterprise or high-throughput environments, making the bug particularly dangerous in production systems where ClamAV scans large document archives or email attachments.

Although the code flaw existed before version 1.0.0, it was a change in version 1.0.0 that made the vulnerability exploitable by enabling larger memory allocations from untrusted input.

The second vulnerability, CVE-2025-20234, has a CVSS score of 5.3 and affects the engine’s ability to process files using the Universal Disk Format (UDF)—a filesystem format commonly found on DVDs and ISO images.

“This vulnerability is due to a memory overread during UDF file scanning,” the advisory notes.

By submitting a malformed UDF file, an attacker could exploit this flaw to trigger a DoS condition, terminating the ClamAV scanning process and degrading the security posture of the host system.

This bug was introduced in version 1.2.0 and is resolved in the 1.4.3 patch.

Cisco has addressed both vulnerabilities in the following patched versions:

• ClamAV 1.4.3
• ClamAV 1.0.9 (for long-term support users)

Users are strongly encouraged to upgrade as soon as possible, particularly if using custom configurations that increase scanning thresholds.

Related Posts:

• MySQL Servers Under Attack: Threat Actors Exploiting UDFs to Inject Gh0stRAT, XWorm & Zoho Agents
• ClamAV Issues Urgent Patch for High-Risk DoS Vulnerability CVE-2024-20380
• ClamAV Vulnerable to WinRAR Code Execution (CVE-2023-40477) Vulnerability
• CVE-2023-20212 & CVE-2023-20197: ClamAV Denial of Service Vulnerabilities
• No Click Required: PoC Available for ClamAV Command Injection Bug (CVE-2024-20328)