New ClamAV security patch closes seven scanner bugs dating back two decades
Open source antivirus scanning sits inside mail gateways, file upload checks, and endpoint tooling at organizations of every size. Much of that work runs through ClamAV, the scanning engine maintained by Cisco’s Talos group. The project released two patch versions, 1.5.3 and 1.4.5, carrying fixes for seven security flaws along with smaller hardening changes.

Packer and PE parsing flaws
Most of the patched bugs sit in the code that unpacks and parses executable formats, the part of a scanner built to handle hostile input. CVE-2026-20213 is an integer overflow in the PE rebuild size calculation that a malformed Aspack-packed file can trigger, leading to a heap buffer overflow write. The related CVE-2026-20214 covers an FSG unpacker loop underflow that can write past the section array during a scan of a crafted PE file. Both reach far back through the codebase, with the FSG issue present in builds dating to 2004.
CVE-2026-20217 rounds out the PE group. A bug in the PESpin unpacker cleanup path could free pointers into the scanned file buffer and crash the scanner. That flaw has lived in the code since 2005.
Archive and image format bugs
Three more fixes address archive and disk-image handling. CVE-2026-20215 is a 7z parser substream count overflow that can under-allocate parser metadata arrays and then write past them when reading a crafted archive. CVE-2026-20243 covers ALZ parser size handling errors that can make malformed ALZ archives panic, abort the scanner, or skip expected scan-limit handling. CVE-2026-20216 is an InstallShield archive extraction limit bypass that can write far more temporary data than intended and drain temporary storage.
The last parsing flaw, CVE-2026-20244, sits in the 32-bit DMG parser. A short mish stripe table could pass validation and crash the scanner. This one affects only 32-bit builds, going back to version 0.98.1, and leaves 64-bit builds untouched.
Quarantine race condition
The releases also harden the quarantine actions in clamscan, clamdscan, and clamonacc against time-of-check/time-of-use races. Under unsafe quarantine directory settings, those races could redirect files as the scanner copied, moved, or removed them. Hiroki Imai of Ricerca Security, Inc. reported the issue.
Version 1.5.3 adds a few items beyond 1.4.5. It upgrades the Rust tar dependency to resolve two RUSTSEC advisories and moves the Rust openssl dependency past CVE-2026-41676. Metadata preclass scans now run before the final scan verdict. A ClamOnAcc fix addresses hash bucket list corruption when two watched paths land in the same bucket. Both releases raise the minimum CMake version to 3.17 to repair Linux builds that link static dependencies against libcurl v8.21.0.
The release files are available on the GitHub release page, and through Docker Hub in Alpine and Debian containers.

Must read:
- 25 open-source cybersecurity tools that don’t care about your budget
- GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
