CVE-2026-20031
Denial of Service in ClamAV CSS Module via UTF-8 Handling
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | secure_endpoint_connector_for_linux | 1.28.1 |
| cisco | secure_endpoint_connector_for_mac | 1.27.2 |
| cisco | secure_endpoint_connector_for_windows | 8.6.0 |
| cisco | secure_endpoint_private_cloud | 4.2.7 |
| clamav | clamav | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20031 is a vulnerability in the HTML Cascading Style Sheets (CSS) module of ClamAV caused by improper error handling when splitting UTF-8 strings during image parsing.
An unauthenticated, remote attacker can exploit this flaw by submitting a specially crafted HTML file to be scanned by ClamAV, which can cause the scanning process to terminate unexpectedly.
This results in a denial of service (DoS) condition on the affected device, disrupting the scanning operation.
How can this vulnerability impact me? :
The vulnerability can cause the ClamAV scanning process to crash, which delays or prevents further scanning operations on affected Linux, Mac, and Windows platforms.
While it does not affect the overall system stability, the denial of service condition can reduce the availability of malware scanning, potentially leaving the system temporarily unprotected.
No privileges or user interaction are required for an attacker to exploit this vulnerability, making it easier to trigger remotely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network indicators provided for identifying this vulnerability on your system or network.
The vulnerability causes the ClamAV scanning process to terminate unexpectedly when scanning crafted HTML files with malformed UTF-8 strings in CSS modules.
Monitoring for unexpected termination or crashes of the ClamAV scanning process during HTML file scans may help indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
There are no workarounds available for this vulnerability.
The recommended immediate mitigation is to upgrade affected Cisco Secure Endpoint Connectors to the fixed software versions:
- Linux Connector to version 1.28.1 or later
- Mac Connector to version 1.27.2 or later
- Windows Connector to version 8.6.0 or later
- Secure Endpoint Private Cloud connectors to version 4.2.7 or later
Updates are available via the Cisco Secure Endpoint portal or connector repository, and automatic updates may be applied depending on policy configurations.