ClamAV security patch fixes 7 scanner bugs from last 20 years

▼ Summary
– ClamAV released patch versions 1.5.3 and 1.4.5 fixing seven security flaws, with most bugs in the unpacking and parsing code for executable formats.
– CVE-2026-20213 and CVE-2026-20214 are integer overflow and loop underflow bugs in the PE rebuild and FSG unpacker that can cause heap buffer overflows.
– CVE-2026-20217 is a bug in the PESpin unpacker cleanup that can crash the scanner by freeing pointers into the scanned file buffer.
– Archive and image format fixes include bugs in 7z, ALZ, InstallShield, and 32-bit DMG parsers that can cause crashes, aborts, or resource exhaustion.
– The releases also harden quarantine actions in clamscan, clamdscan, and clamonacc against time-of-check/time-of-use races.
Open source antivirus scanning is a critical layer inside mail gateways, file upload validators, and endpoint defenses at organizations worldwide. Much of that heavy lifting relies on ClamAV, the scanning engine maintained by Cisco’s Talos group. The project has issued two patch versions, 1.5.3 and 1.4.5, which together address seven security vulnerabilities and include several smaller hardening improvements.
Most of the patched bugs reside in the code responsible for unpacking and parsing executable formats, an area of any scanner that must handle potentially hostile input. CVE-2026-20213 is an integer overflow in the PE rebuild size calculation, triggered by a malformed Aspack-packed file, which can result in a heap buffer overflow write. The related CVE-2026-20214 covers an FSG unpacker loop underflow that can write past the section array during a scan of a crafted PE file. Both flaws reach deep into the codebase; the FSG issue has been present in builds dating back to 2004.
CVE-2026-20217 rounds out the PE group. A bug in the PESpin unpacker cleanup path could free pointers into the scanned file buffer and crash the scanner. This vulnerability has existed in the code since 2005.
Three additional fixes address archive and disk-image handling. CVE-2026-20215 is a 7z parser substream count overflow that can under-allocate parser metadata arrays and then write past them when reading a crafted archive. CVE-2026-20243 covers ALZ parser size handling errors that can make malformed ALZ archives panic, abort the scanner, or skip expected scan-limit handling. CVE-2026-20216 is an InstallShield archive extraction limit bypass that can write far more temporary data than intended and drain temporary storage.
The last parsing flaw, CVE-2026-20244, sits in the 32-bit DMG parser. A short mish stripe table could pass validation and crash the scanner. This vulnerability affects only 32-bit builds, going back to version 0.98.1, and leaves 64-bit builds untouched.
The releases also harden the quarantine actions in clamscan, clamdscan, and clamonacc against time-of-check/time-of-use races. Under unsafe quarantine directory settings, those races could redirect files as the scanner copied, moved, or removed them. Hiroki Imai of Ricerca Security, Inc. reported the issue.
Version 1.5.3 adds a few items beyond 1.4.5. It upgrades the Rust tar dependency to resolve two RUSTSEC advisories and moves the Rust openssl dependency past CVE-2026-41676. Metadata preclass scans now run before the final scan verdict. A ClamOnAcc fix addresses hash bucket list corruption when two watched paths land in the same bucket. Both releases raise the minimum CMake version to 3.17 to repair Linux builds that link static dependencies against libcurl v8.21.0.
The release files are available on the GitHub release page and through Docker Hub in Alpine and Debian containers.
(Source: Help Net Security)