ClamAV, the widely used open-source antivirus engine, has released crucial security updates versions 1.4.3 and 1.0.9 addressing multiple vulnerabilities, including a critical remote code execution (RCE) bug.
The releases also mark an important milestone in platform support, with the addition of native Linux aarch64 (ARM64) RPM and DEB installer packages for the 1.4 LTS line, broadening ClamAV’s reach across diverse architectures.
Mitigating a Critical RCE in the PDF Parser
Central to these updates is the resolution of CVE-2025-20260, a high-impact buffer overflow write flaw in ClamAV’s PDF file parser.
The vulnerability could allow remote attackers to execute arbitrary code or cause a denial-of-service (DoS) condition under specific circumstances where the max file-size scan limit is set at or above 1024MB and the max scan-size scan limit at or above 1025MB.
Although the underlying code issue existed prior to version 1.0.0, modifications introduced in that version facilitated larger memory allocations based on potentially untrusted data, exposing the bug to exploitation.
All currently supported ClamAV versions were affected, with patches now available in both 1.4.3 and 1.0.9 releases.
The issue was responsibly disclosed by Greg Walkup from Sandia National Labs, underscoring the importance of collaborative security research in the open-source ecosystem.
Another notable fix included in 1.4.3 addresses CVE-2025-20234, a buffer overflow read vulnerability found in the UDF file parser.
If triggered, this flaw could result in information disclosure by leaking data via temporary files or cause a DoS through application crashes.
Introduced in ClamAV version 1.2.0, this issue was identified by the security researcher volticks (aka @movx64), collaborating with the Trend Micro Zero Day Initiative. The fix ensures greater resilience in handling UDF-formatted files.
Additionally, both 1.4.3 and 1.0.9 resolve a use-after-free bug in the Xz decompression module, linked to ClamAV’s bundled lzma-sdk implementation.
Recognized as an issue since at least version 0.99.4, and addressed upstream in lzma-sdk 18.03, the flaw could have been exploited to destabilize scanning operations or as a vector for further memory corruption.
ClamAV continues to bundle a customized version of lzma-sdk, integrating specific performance enhancements while selectively applying critical bug fixes like this one.
This vulnerability came to light thanks to automated fuzz testing by OSS-Fuzz, reflecting the value of rigorous continuous testing practices.
Expanded Platform Support
Beyond vulnerability patches, the latest LTS release introduces official RPM and DEB installers for Linux aarch64 (ARM64), ensuring native support for modern server and embedded environments prevalent in cloud and IoT applications.
This addition simplifies deployment on ARM-based Linux distributions a growing segment of the infrastructure ecosystem.
On Windows, the ClamAV team has tackled a build installation issue related to dynamic link library (DLL) dependencies such as libcrypto.
Previous installer logic could misidentify DLLs with names matching those provided by the Windows operating system, potentially leading to installation errors or runtime conflicts.
The patch ensures robust dependency resolution and enhances installation stability on Windows platforms.
The updated releases, 1.4.3 and 1.0.9, are immediately available for download from the official ClamAV downloads page, GitHub Release page, and Docker Hub though new Docker images may lag behind other distribution channels.
Users are strongly urged to upgrade promptly to mitigate exposure to these vulnerabilities, particularly the RCE risk highlighted in the PDF parser.
ClamAV’s rapid response, proactive platform expansion, and commitment to secure open-source development are evident in these latest releases.
Full release notes detailing these changes and acknowledgments to contributing researchers offer transparency and insight into the collaborative processes driving ClamAV’s ongoing reliability and security.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
