ClamAV 1.5.3 Open-Source Antivirus Fixes Multiple Security Vulnerabilities

ClamAV 1.5.3 open-source antivirus engine released with fixes for multiple security vulnerabilities affecting file parsing, archive scanning, and executable unpacking.

ClamAV 1.5.3 has been released as a security patch update for the open-source antivirus engine widely used on Linux and Unix-like systems, especially for mail gateway scanning, file server protection, and automated malware detection.

The update fixes CVE-tracked issues affecting how ClamAV handles malformed or specially crafted files. One, CVE-2026-20217, concerns the PESpin unpacker cleanup path, where a bug could free pointers into the scanned file buffer and crash the scanner.

Another PE-related fix addresses CVE-2026-20213, an integer overflow in PE rebuild size calculations. This could be triggered by a malformed Aspack-packed PE file and lead to a heap buffer overflow. ClamAV 1.5.3 also fixes CVE-2026-20214, an FSG unpacker loop underflow that could write past the section array when scanning a malformed PE file.

Archive scanning also received security fixes. CVE-2026-20216 fixes an InstallShield archive extraction limit bypass that could cause ClamAV to write more temporary data than intended, potentially exhausting storage. Plus, the release addresses CVE-2026-20243, ALZ parser size-handling bugs that could cause malformed ALZ archives to panic, abort the scanner, or skip scan-limit checks.

Another archive-related vulnerability, CVE-2026-20215, concerns the 7z parser. The bug involved a substream count overflow causing under-allocated metadata arrays and out-of-bounds writes when reading a malformed archive.

The last CVE listed is CVE-2026-20244, affecting only 32-bit ClamAV builds. It fixes DMG parser size checks that could let a malformed mish stripe table pass validation and crash 32-bit scanners. 64-bit builds are not affected.

Beyond the CVE fixes, ClamAV 1.5.3 hardens quarantine actions in clamscan, clamdscan, and clamonacc against time-of-check/time-of-use races. In unsafe quarantine directory setups, such races could redirect copied, moved, or removed files.

On top of that, ClamAV 1.5.3 changes metadata preclass scan handling so these scans run before the final verdict. ClamOnAcc received two fixes: one for errors when recursively excluded paths are children of an included path, and another for hash bucket list corruption when two watched paths collide in the same bucket.

Lastly, users still on the older 1.4 branch should note that ClamAV 1.4.5 has also been released with the same security fixes.

For additional details, see the announcement. The release files are available from the ClamAV downloads page, GitHub releases, and Docker Hub, with Alpine- and Debian-based container images provided.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Leave a Reply

Your email address will not be published. Required fields are marked *