Cyber Resilience

CVE-2025-20260

Critical

Published: 18 June 2025

Published
18 June 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0123 79.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20260 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Clamav Clamav. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability in the PDF scanning processes of ClamAV stems from incorrect memory buffer allocation during PDF file handling. This flaw, tracked as CVE-2025-20260 and assigned CWE-122, affects the open-source ClamAV antivirus engine and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can exploit the issue by submitting a specially crafted PDF file for scanning. Successful exploitation may trigger a buffer overflow that terminates the ClamAV process, resulting in a denial-of-service condition; although unproven, the overflow could also permit arbitrary code execution under the privileges of the ClamAV process.

Advisories recommend applying the available security patches. ClamAV versions 1.4.3 and 1.0.9 address the flaw, and corresponding updates have been issued for affected distributions such as Debian LTS.

EPSS scores remain low, with a current value of 0.0123 and a peak of 0.0147, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because…

more

memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

clamav
clamav
≤ 1.0.9 · 1.2.0 — 1.4.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References