CVE-2026-20213
Received Received - Intake

Memory Corruption in ClamAV PE Parser Leads to DoS

Vulnerability report for CVE-2026-20213, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Cisco Systems, Inc.

Description

A vulnerability in the PE file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device. This vulnerability is due to improper boundary checks for content in PE files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PE content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
clamav clamav *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-20213 is a vulnerability in the ClamAV antivirus software's Portable Executable (PE) file format parser. It occurs because of improper boundary checks during the scanning of PE files, which can lead to memory corruption.

An unauthenticated, remote attacker can exploit this flaw by submitting a specially crafted PE file to be scanned by ClamAV. This can cause the scanning process to terminate unexpectedly, resulting in a denial of service (DoS) condition.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition on the affected software, ClamAV. This means the scanning process can be forcibly terminated by an attacker, potentially interrupting antivirus scanning operations.

Exploitation could lead to temporary system resource consumption or scanning interruptions, which may reduce the effectiveness of malware detection and protection on your device.

Detection Guidance

There are no specific detection commands or network indicators provided for this vulnerability. Detection would primarily involve identifying if the affected versions of ClamAV are in use on your systems.

Since the vulnerability is triggered by scanning specially crafted PE files, monitoring for unexpected ClamAV process crashes or denial of service conditions during file scanning could be an indirect indicator.

To check the installed ClamAV version, you can use commands such as:

  • clamd --version
  • clamscan --version

If the version is older than the fixed versions (Windows 8.6.2, Linux 1.29.0, Mac 1.27.2), the system is vulnerable.

Mitigation Strategies

The primary mitigation step is to upgrade ClamAV to the fixed versions released by Cisco.

  • Upgrade Secure Endpoint Connector for Windows to version 8.6.2 or later.
  • Upgrade Secure Endpoint Connector for Linux to version 1.29.0 or later.
  • Upgrade Secure Endpoint Connector for Mac to version 1.27.2 or later.

No workarounds are available, so applying the software update is the only effective mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart