Source: clamav X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for clamav. CVE-2025-20128[0]: | A vulnerability in the Object Linking and Embedding 2 (OLE2) | decryption routine of ClamAV could allow an unauthenticated, remote | attacker to cause a denial of service (DoS) condition on an affected | device. This vulnerability is due to an integer underflow in a | bounds check that allows for a heap buffer overflow read. An | attacker could exploit this vulnerability by submitting a crafted | file containing OLE2 content to be scanned by ClamAV on an affected | device. A successful exploit could allow the attacker to terminate | the ClamAV scanning process, resulting in a DoS condition on the | affected software. For a description of this vulnerability, see the | . Cisco has released software updates that address this | vulnerability. There are no workarounds that address this | vulnerability. https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-20128 https://www.cve.org/CVERecord?id=CVE-2025-20128 Please adjust the affected versions in the BTS as needed.
