CVE-2026-20213

NameCVE-2026-20213
DescriptionA vulnerability in the PE file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in PE files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PE content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clamav (PTS)bullseye0.103.10+dfsg-0+deb11u1vulnerable
bullseye (security)1.4.3+dfsg-1~deb11u1vulnerable
bookworm1.4.3+dfsg-1~deb12u2vulnerable
trixie1.4.3+dfsg-1vulnerable
forky1.4.4+dfsg-1vulnerable
sid1.4.4+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clamavsource(unstable)(unfixed)

Notes

[trixie] - clamav <no-dsa> (clamav is updated via -updates)
https://blog.clamav.net/2026/07/clamav-153-and-145-security-patch.html

Search for package or bug name: Reporting problems