CVE-2026-20031
Received Received - Intake
Denial of Service in ClamAV CSS Module via UTF-8 Handling

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the HTML Cascading Style Sheets (CSS) module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when splitting UTF-8 strings. An attacker could exploit this vulnerability by submitting a crafted HTML file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the scanning process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20031
EUVD
EUVD-2026-9433
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
cisco secure_endpoint_connector_for_linux 1.28.1
cisco secure_endpoint_connector_for_mac 1.27.2
cisco secure_endpoint_connector_for_windows 8.6.0
cisco secure_endpoint_private_cloud 4.2.7
clamav clamav *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20031 is a vulnerability in the HTML Cascading Style Sheets (CSS) module of ClamAV caused by improper error handling when splitting UTF-8 strings during image parsing.

An unauthenticated, remote attacker can exploit this flaw by submitting a specially crafted HTML file to be scanned by ClamAV, which can cause the scanning process to terminate unexpectedly.

This results in a denial of service (DoS) condition on the affected device, disrupting the scanning operation.

Impact Analysis

The vulnerability can cause the ClamAV scanning process to crash, which delays or prevents further scanning operations on affected Linux, Mac, and Windows platforms.

While it does not affect the overall system stability, the denial of service condition can reduce the availability of malware scanning, potentially leaving the system temporarily unprotected.

No privileges or user interaction are required for an attacker to exploit this vulnerability, making it easier to trigger remotely.

Compliance Impact

I don't know

Detection Guidance

There are no specific detection commands or network indicators provided for identifying this vulnerability on your system or network.

The vulnerability causes the ClamAV scanning process to terminate unexpectedly when scanning crafted HTML files with malformed UTF-8 strings in CSS modules.

Monitoring for unexpected termination or crashes of the ClamAV scanning process during HTML file scans may help indicate exploitation attempts.

Mitigation Strategies

There are no workarounds available for this vulnerability.

The recommended immediate mitigation is to upgrade affected Cisco Secure Endpoint Connectors to the fixed software versions:

  • Linux Connector to version 1.28.1 or later
  • Mac Connector to version 1.27.2 or later
  • Windows Connector to version 8.6.0 or later
  • Secure Endpoint Private Cloud connectors to version 4.2.7 or later

Updates are available via the Cisco Secure Endpoint portal or connector repository, and automatic updates may be applied depending on policy configurations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20031. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart