Cisco has released new updates for the free antivirus package Clamav 1.4.3 and 1.0.98, addressing vulnerabilities that could potentially allow attackers to execute malicious code during content checks.
One of the vulnerabilities, identified as CVE-2025-20260, involves an error in the file analysis code for PDF files. This issue could result in data being written outside the designated buffer, particularly in configurations where the File-Size and Scan-Size settings are set at or above 1024MB and 1025MB, respectively. The vulnerability exists in versions of Clamav from 1.0.0 onwards and could potentially allow the execution of code with the privileges of the Clamav process.
Another vulnerability, identified as CVE-2025-20234, involves an error in the file analysis code for UDF format files. This issue could lead to the reading of data from memory areas beyond the designated buffer, potentially causing the process to crash abruptly or leaking memory data to a temporary file. The vulnerability affects Clamav versions from 1.2.0 onwards.
Additionally, there is a vulnerability related to addressing memory after its release in the archive unpacking module for XZ format files, though it has not been assigned a CVE number. This problem stems from an error in the Clamav library’s integration with the lzma-sdk code, which was fixed in the LZMA-SDK 18.03 release. The vulnerability affects all versions of Clamav from 0.99.4 onwards.