// 2 CVE · 1 EXPLOIT IN THE LAST 24H
ClamAV 1.5.3 and 1.4.5 address vulnerabilities in PE file, archive, and disk image parsers. Two bugs survived roughly 20 years in critical security code.

Cisco Talos released ClamAV versions 1.5.3 and 1.4.5 on July 5, 2026, patching the open-source antivirus engine most widely deployed in mail gateways and enterprise upload systems. The release fixes seven security vulnerabilities in parsing and unpacking code, some introduced between 2004 and 2005. The stakes are immediate: ClamAV continuously processes untrusted files in automated environments without human intervention, turning every parsing bug into a potential remote attack vector.

Key Takeaways
  • ClamAV 1.5.3 and 1.4.5 fix seven CVEs in the scanning engine, spanning heap overflows, memory corruption, and crashes.
  • Two vulnerabilities date to 2004 (FSG unpacker, CVE-2026-20214) and 2005 (PESpin unpacker, CVE-2026-20217), surviving roughly 20 years in the codebase.
  • CVE-2026-20244 in the DMG parser affects only 32-bit builds from version 0.98.1 onward, leaving 64-bit systems unaffected.
  • The release includes hardening against a time-of-check/time-of-use race condition in quarantine handling, reported by Hiroki Imai of Ricerca Security, Inc.

Twenty Years in Code: Longevity as Vulnerability

The most unsettling finding is not technical but chronological. The bug in the FSG unpacker, tracked as CVE-2026-20214, exists in builds dating to 2004. The flaw in the PESpin unpacker cleanup path CVE-2026-20217, has lived in the code since 2005. That means for nearly two decades, across countless releases, audits, and refactors, the parsing logic for two compressed PE executable formats remained exposed to malformed manipulation.

The source states directly that "most of the patched bugs sit in the code that unpacks and parses executable formats, the part of a scanner built to handle hostile input." This is the crux: the most critical perimeter, designed to intercept threats, became an attack surface itself. ClamAV's native parsers for PE with Aspack, FSG, PESpin packers, for 7z, ALZ, InstallShield archives, and for DMG disk images operate on potentially hostile input without sufficient bounds checks, allowing integer overflows that propagate into heap buffer overflows.

The Seven CVEs: Mechanisms and Formats Affected

Cisco Talos cataloged seven CVE identifiers with technical descriptions converging on a common pattern: unpacking logic operates on external data structures without rigorously validating sizes and offsets before memory allocation.

CVE-2026-20213 involves an integer overflow in the reconstruction size calculation for Aspack-compressed PE files, resulting in a heap buffer overflow on write. CVE-2026-20214, the 2004 bug, exploits a loop underflow in the FSG unpacker that writes past the section array in crafted PE files. CVE-2026-20217, from 2005, resides in the PESpin unpacker cleanup path: freeing pointers in the scanned file buffer crashes the engine.

The remaining four CVEs expand the surface beyond executables. CVE-2026-20215 hits the 7z parser with a substream counter overflow causing under-allocation and writes past metadata. CVE-2026-20243 introduces size-handling errors in the ALZ parser, leading to panics, aborts, or scan-limit bypasses. CVE-2026-20216 allows bypass of the extraction limit for InstallShield archives, with potential temporary storage exhaustion. CVE-2026-20244, narrow and specific, crashes the 32-bit DMG parser when it encounters short stripe tables: it affects only 32-bit builds from version 0.98.1 onward, excluding 64-bit systems.

The Quarantine Case: TOCTOU and Race Condition

Alongside the parsing bugs, the 1.5.3/1.4.5 release includes hardening for a time-of-check/time-of-use race condition in quarantine actions for clamscan, clamdscan, and clamonacc. The vulnerability was reported by Hiroki Imai, affiliated with Ricerca Security, Inc. The TOCTOU mechanism exploits a race window between when the system verifies a file's conditions and when it acts on them, potentially enabling filesystem manipulation in multi-user or multi-process environments.

The presence of this vulnerability class typical of software with high concurrent exposure indicates that ClamAV's attack surface extends beyond static parsing into file management operations, an area traditionally less scrutinized than unpacking engines.

Why It Matters

The dossier does not specify whether the vulnerabilities have been exploited in the wild, nor does it quantify the real-world attack surface in terms of vulnerable installations. The brief does not document specific remedial measures beyond the version upgrade, nor detail the content of the RUSTSEC advisories cited for the Rust tar dependency.

The source does not report explicit CVSS scores for the vulnerabilities, limiting itself to qualitative severity descriptions. No separate official Cisco Talos advisory emerges beyond the communication reported by Help Net Security.

What the dossier confirms is sufficient to define the risk: ClamAV sits in mandatory transit positions SMTP gateways, upload proxies, enterprise endpoints where every attached or uploaded file automatically traverses the scanning engine. The non-interactive nature of the process amplifies exposure: no prompt appears, no confirmation request arrives, the parser simply processes.

"Most of the patched bugs sit in the code that unpacks and parses executable formats, the part of a scanner built to handle hostile input"

Takeaway: The Sustainability of Audits in Vendor-Maintained Open-Source Security Software

ClamAV is a case study in structural tension: born as an independent open-source project, acquired by Cisco in 2007, managed by Talos as critical infrastructure for the security ecosystem. This hybridization open code, corporate resources did not prevent two bugs from surviving 20 years, crossing generations of maintainers, toolchains, and development paradigms.

The phenomenon raises questions about the auditing model for open-source security software. If the most widely deployed antivirus scanning engine can host parsing vulnerabilities for two decades, the "many eyes" logic needs correctives: code availability alone is not enough; continuity of focus on the most dangerous input paths is required those that, as the source reminds us, are "built to handle hostile input." The 1.5.3 release also raises the minimum CMake version to 3.17, a detail suggesting infrastructure modernization but also accumulated technical debt.

Version 1.5.3 includes, beyond the security fixes, an upgrade of the Rust tar dependency for RUSTSEC advisories, a fix for CVE-2026-41676 in OpenSSL, scan metadata pre-classification, and a hash bucket corruption fix in ClamOnAcc. This density of interventions in a single release indicates the maintenance cycle has reached a saturation point: security fixes, dependency updates, and stability improvements converge in a comprehensive patch that administrators must evaluate as an indivisible unit.

Frequently Asked Questions

Which versions fix the vulnerabilities?
ClamAV 1.5.3 and 1.4.5, released simultaneously for different version lines.

Are all architectures affected?
No. CVE-2026-20244 in the DMG parser affects only 32-bit builds from version 0.98.1 onward; 64-bit builds are not affected by this specific bug.

How long have these bugs existed?
Two vulnerabilities date to 2004 (FSG unpacker) and 2005 (PESpin cleanup), while the others have no specific historical timeline in the source.

Information is based on the cited advisory and current as of publication.

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. helpnetsecurity.com
  2. thehackernews.com
  3. krebsonsecurity.com