[Pkg-clamav-devel] Bug#1108046: clamav: CVE-2025-20260
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 19 17:22:04 BST 2025
Source: clamav
Version: 1.4.2+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.0.7+dfsg-1~deb12u1
Hi,
The following vulnerability was published for clamav.
CVE-2025-20260[0]:
| A vulnerability in the PDF scanning processes of ClamAV could allow
| an unauthenticated, remote attacker to cause a buffer overflow
| condition, cause a denial of service (DoS) condition, or execute
| arbitrary code on an affected device. This vulnerability exists
| because memory buffers are allocated incorrectly when PDF files are
| processed. An attacker could exploit this vulnerability by
| submitting a crafted PDF file to be scanned by ClamAV on an affected
| device. A successful exploit could allow the attacker to trigger a
| buffer overflow, likely resulting in the termination of the ClamAV
| scanning process and a DoS condition on the affected software.
| Although unproven, there is also a possibility that an attacker
| could leverage the buffer overflow to execute arbitrary code with
| the privileges of the ClamAV process.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-20260
https://www.cve.org/CVERecord?id=CVE-2025-20260
[1] https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
Regards,
Salvatore
More information about the Pkg-clamav-devel
mailing list