Skip to main content

ClamAV EUVDEUVD-2026-41082

| CVE-2026-20217 HIGH
Classic Buffer Overflow (CWE-120)
2026-07-01 psirt@cisco.com GHSA-34f3-w8ff-r2xx
7.5
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Untrusted files reach the scanner remotely without auth (AV:N/PR:N/UI:N/AC:L); confirmed impact is a scan-process crash only, so A:H with C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 17:39 vuln.today

DescriptionCVE.org

A vulnerability in the PESpin file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.

This vulnerability is due to improper boundary checks for content in PESpin files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PESpin content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

AnalysisAI

Availability-impacting out-of-bounds write in ClamAV's PESpin file-format parser lets an unauthenticated remote attacker crash the scanning engine by submitting a crafted PESpin-packed file for scanning. Because ClamAV frequently sits inline on mail gateways, file-upload paths, and proxies, a single malicious sample can terminate the scanning process and produce a denial of service; the memory corruption may permit expanded impact beyond DoS though only crash impact is confirmed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious PESpin-packed file
Delivery
Submit file to ClamAV-scanned intake
Exploit
Trigger out-of-bounds write in PESpin unpacker
Execution
Corrupt memory and crash clamd
Impact
Denial of service on scanning host

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target runs ClamAV with PE/packer unpacking active (ScanPE enabled, the default) so the PESpin unpacker executes, and that the attacker can get a crafted PESpin-containing file scanned - e.g., via an inbound mail gateway, file-upload endpoint, or proxy that automatically hands files to clamd. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) reflects a network-reachable, low-complexity, unauthenticated attack with high availability impact and no confidentiality/integrity impact - i.e., a reliable DoS rather than confirmed code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker emails or uploads a specially crafted file containing malformed PESpin-packed content to a service that automatically scans inbound files with ClamAV. When clamd parses the PESpin structure, the out-of-bounds write corrupts memory and terminates the scanning process, disabling malware scanning for the affected node. …
Remediation Patch available per vendor advisory - upgrade ClamAV to the fixed release listed in Cisco advisory cisco-sa-clamav-88cFYyxR (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR); the exact patched version is not confirmed from the provided data and must be taken from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all ClamAV deployments and enable alerting on service crashes; review logs for suspicious submissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-20032 CRITICAL
9.8 Mar 01

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ p

CVE-2026-20214 HIGH
7.5 Jul 01

Denial of service in ClamAV's FSG file format parser allows an unauthenticated remote attacker to crash the scanning eng

CVE-2026-20213 HIGH
7.5 Jul 01

Denial of service in ClamAV's PE (Portable Executable) file format parser lets an unauthenticated, remote attacker crash

CVE-2026-20244 HIGH
7.5 Jul 01

Denial of service in ClamAV's DMG file format parser allows a remote, unauthenticated attacker to crash the scanning eng

CVE-2026-20243 HIGH
7.5 Jul 01

Denial of service in ClamAV's ALZ archive parser allows an unauthenticated, remote attacker to crash the scanning engine

CVE-2026-20216 HIGH
7.5 Jul 01

Denial of service in ClamAV's InstallShield file format parser allows a remote, unauthenticated attacker (per CVSS PR:N)

CVE-2026-20215 HIGH
7.5 Jul 01

Denial of service in ClamAV's 7z archive scanner allows a remote, unauthenticated attacker to crash the scanning process

CVE-2023-20212 HIGH
7.5 Aug 18

A vulnerability in the AutoIt module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of serv

CVE-2023-20197 HIGH
7.5 Aug 16

A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthe

CVE-2022-20785 HIGH
7.5 May 04

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 a

CVE-2022-20771 HIGH
7.5 May 04

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 a

CVE-2022-20770 HIGH
7.5 May 04

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 a

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected

Share

EUVD-2026-41082 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy