A security update has been released for ClamAV, an antivirus utility for Unix, to address two vulnerabilities: CVE-2025-20128 and CVE-2025-20260. The first vulnerability lets an attacker make a device stop working by taking advantage of the Object Linking and Embedding 2 (OLE2) decryption process in ClamAV. The second vulnerability allows an attacker to cause a buffer overflow, denial of service, or execution of arbitrary code on an affected device by exploiting the PDF scanning processes in ClamAV. Users are advised to upgrade their ClamAV packages to version 1.0.9+dfsg-1deb11u1 (for Debian GNU/Linux 11 LTS) or 1.0.9+dfsg-1deb9u1 (for Debian GNU/Linux 9 ELTS) or 1.0.9+dfsg-1~deb10u1 (for Debian GNU/Linux 10 ELTS).

[DLA 4292-1] clamav security update
ELA-1511-1 clamav security update

[SECURITY] [DLA 4292-1] clamav security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4292-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lucas Kanashiro
September 04, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : clamav
Version : 1.0.9+dfsg-1~deb11u1
CVE ID : CVE-2025-20128 CVE-2025-20260
Debian Bug : 1093880 1108046

A couple of vulnerabilities have been fixed in ClamAV, an anti-virus utility
for Unix.

CVE-2025-20128

The Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV
could allow an unauthenticated, remote attacker to cause a denial of service
(DoS) condition on an affected device.

CVE-2025-20260

The PDF scanning processes of ClamAV could allow an unauthenticated, remote
attacker to cause a buffer overflow condition, cause a denial of service (DoS)
condition, or execute arbitrary code on an affected device.

For Debian 11 bullseye, these problems have been fixed in version
1.0.9+dfsg-1~deb11u1.

We recommend that you upgrade your clamav packages.

For the detailed security status of clamav please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/clamav

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1511-1 clamav security update

Package : clamav
Version : 1.0.9+dfsg-1~deb9u1 (stretch), 1.0.9+dfsg-1~deb10u1 (buster)

Related CVEs :
CVE-2025-20128
CVE-2025-20260

A couple of vulnerabilities have been fixed in ClamAV, an anti-virus utility
for Unix, in this new upstream stable release.

CVE-2025-20128
The Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV
could allow an unauthenticated, remote attacker to cause a denial of service
(DoS) condition on an affected device.

CVE-2025-20260
The PDF scanning processes of ClamAV could allow an unauthenticated, remote
attacker to cause a buffer overflow condition, cause a denial of service (DoS)
condition, or execute arbitrary code on an affected device.

ELA-1511-1 clamav security update