CVE-2025-20128

NameCVE-2025-20128
DescriptionA vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software. For a description of this vulnerability, see the . Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1093880

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clamav (PTS)bullseye0.103.10+dfsg-0+deb11u1vulnerable
bullseye (security)1.0.7+dfsg-1~deb11u2vulnerable
bookworm1.0.7+dfsg-1~deb12u1vulnerable
sid, trixie1.4.1+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clamavsource(unstable)(unfixed)1093880

Notes

[bookworm] - clamav <no-dsa> (clamav is being updated via -updates)
https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html
Search for package or bug name: Reporting problems