CVE-2025-20260
Published: 18 June 2025
Summary
CVE-2025-20260 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Clamav Clamav. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability in the PDF scanning processes of ClamAV stems from incorrect memory buffer allocation during PDF file handling. This flaw, tracked as CVE-2025-20260 and assigned CWE-122, affects the open-source ClamAV antivirus engine and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the issue by submitting a specially crafted PDF file for scanning. Successful exploitation may trigger a buffer overflow that terminates the ClamAV process, resulting in a denial-of-service condition; although unproven, the overflow could also permit arbitrary code execution under the privileges of the ClamAV process.
Advisories recommend applying the available security patches. ClamAV versions 1.4.3 and 1.0.9 address the flaw, and corresponding updates have been issued for affected distributions such as Debian LTS.
EPSS scores remain low, with a current value of 0.0123 and a peak of 0.0147, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18658
Vulnerability details
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because…
more
memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.