New ClamAV Patch Fixes Seven Long‑standing Scanner Vulnerabilities (CVE‑2026‑20213 to CVE‑2026‑20244)
What Happened — The open‑source antivirus engine ClamAV (maintained by Cisco Talos) released two patch versions, 1.5.3 and 1.4.5, that remediate seven security flaws spanning PE/EXE parsing, archive handling, and quarantine‑operation race conditions. The bugs, some dating back to 2004, include integer overflows, under‑allocations, and TOCTOU issues that could lead to remote code execution or denial‑of‑service during a scan.
Why It Matters for Compliance & Audit Readiness
- Demonstrates the need for a documented vulnerability‑management program that tracks, tests, and applies patches to third‑party components used in security tooling.
- Provides a concrete example of why continuous control evidence (e.g., patch‑level inventories, change‑management logs) is essential for SOC 2 audit readiness.
- Highlights the importance of mapping these fixes to the System Security (CC6.1) and Change Management (CC7.1) criteria in the Trust Services Criteria, and retaining proof of remediation in a verifiable audit trail.
Who Is Affected — Organizations that embed ClamAV in mail gateways, file‑upload scanners, endpoint protection, or any SaaS platform that relies on its engine. Typical sectors: technology/SaaS, cloud‑infrastructure providers, managed security services, and large enterprises with on‑premise email security appliances.
Recommended Actions
- Deploy the latest ClamAV 1.5.3 (or 1.4.5 where applicable) across all scanning nodes.
- Verify the patch level with an automated inventory tool and record the version as audit evidence.
- Update your vulnerability‑management policy to include open‑source components and map each CVE to the relevant SOC 2 control.
- Conduct a post‑patch test scan of known malicious samples to confirm remediation.
Source: Help Net Security
Technical Notes
- CVE‑2026‑20213 – Integer overflow in PE rebuild size → heap buffer overflow.
- CVE‑2026‑20214 – FSG unpacker loop underflow → out‑of‑bounds write.
- CVE‑2026‑20217 – PESpin cleanup frees pointers → scanner crash.
- CVE‑2026‑20215 – 7z parser substream count overflow → memory corruption.
- CVE‑2026‑20243 – ALZ parser size error → abort or skip scan limits.
- CVE‑2026‑20216 – InstallShield archive extraction limit bypass → temporary‑storage exhaustion.
- CVE‑2026‑20244 – 32‑bit DMG parser short table → crash on crafted image.
- Additional TOCTOU race condition in quarantine actions under unsafe directory settings.
Source: same as above