CVE-2020-37167
Published: 12 February 2026
Summary
CVE-2020-37167 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-37167 is a vulnerability in ClamAV versions prior to 0.103.0-rc, specifically affecting the function name processing in the ClamBC bytecode interpreter. Weak input validation in function name encoding allows attackers to manipulate bytecode function names, potentially enabling the execution of malicious bytecode or causing unexpected behavior in the ClamAV engine. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker with no privileges required can exploit this issue with low complexity and no user interaction. By crafting malicious bytecode that exploits the function name manipulation, the attacker can achieve high impacts on confidentiality, integrity, and availability, such as executing arbitrary code within the ClamAV engine or disrupting its scanning operations.
Mitigation requires upgrading to ClamAV 0.103.0-rc or later, where a fixing commit is available at https://github.com/Cisco-Talos/clamav/commit/cd2f2975b93277de7f74464d48adb378375a305f. Further details appear on the official ClamAV site at https://www.clamav.net/, with a proof-of-concept exploit documented at https://www.exploit-db.com/exploits/47687 and an advisory at https://www.vulncheck.com/advisories/clamav-clambc-clambc-executable-regular-expression-error. A public exploit on Exploit-DB indicates potential for real-world abuse.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31211
Vulnerability details
ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious…
more
bytecode or cause unexpected behavior in the ClamAV engine.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local unprivileged code execution in privileged AV engine via bytecode interpreter flaw directly enables privilege escalation.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and correction of flaws like CVE-2020-37167 through timely patching or upgrading to ClamAV 0.103.0-rc or later.
Requires validation of information inputs such as ClamBC bytecode function names to counter weak input validation and prevent manipulation leading to malicious execution.
Provides for vulnerability scanning to identify deployments of vulnerable ClamAV versions prior to 0.103.0-rc, enabling remediation before exploitation.