Cyber Resilience

CVE-2020-37167

HighPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 6.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37167 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-37167 is a vulnerability in ClamAV versions prior to 0.103.0-rc, specifically affecting the function name processing in the ClamBC bytecode interpreter. Weak input validation in function name encoding allows attackers to manipulate bytecode function names, potentially enabling the execution of malicious bytecode or causing unexpected behavior in the ClamAV engine. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker with no privileges required can exploit this issue with low complexity and no user interaction. By crafting malicious bytecode that exploits the function name manipulation, the attacker can achieve high impacts on confidentiality, integrity, and availability, such as executing arbitrary code within the ClamAV engine or disrupting its scanning operations.

Mitigation requires upgrading to ClamAV 0.103.0-rc or later, where a fixing commit is available at https://github.com/Cisco-Talos/clamav/commit/cd2f2975b93277de7f74464d48adb378375a305f. Further details appear on the official ClamAV site at https://www.clamav.net/, with a proof-of-concept exploit documented at https://www.exploit-db.com/exploits/47687 and an advisory at https://www.vulncheck.com/advisories/clamav-clambc-clambc-executable-regular-expression-error. A public exploit on Exploit-DB indicates potential for real-world abuse.

EU & UK References

Vulnerability details

ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious…

more

bytecode or cause unexpected behavior in the ClamAV engine.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local unprivileged code execution in privileged AV engine via bytecode interpreter flaw directly enables privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

ClamAV
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, and correction of flaws like CVE-2020-37167 through timely patching or upgrading to ClamAV 0.103.0-rc or later.

prevent

Requires validation of information inputs such as ClamBC bytecode function names to counter weak input validation and prevent manipulation leading to malicious execution.

detect

Provides for vulnerability scanning to identify deployments of vulnerable ClamAV versions prior to 0.103.0-rc, enabling remediation before exploitation.

References