| Package | clamav |
|---|---|
| Version | 1.0.9+dfsg-1~deb9u1 (stretch), 1.0.9+dfsg-1~deb10u1 (buster) |
| Related CVEs | CVE-2025-20128 CVE-2025-20260 |
A couple of vulnerabilities have been fixed in ClamAV, an anti-virus utility for Unix, in this new upstream stable release.
CVE-2025-20128
The Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV
could allow an unauthenticated, remote attacker to cause a denial of service
(DoS) condition on an affected device.
CVE-2025-20260
The PDF scanning processes of ClamAV could allow an unauthenticated, remote
attacker to cause a buffer overflow condition, cause a denial of service (DoS)
condition, or execute arbitrary code on an affected device.
For Debian 10 buster, these problems have been fixed in version 1.0.9+dfsg-1~deb10u1.
For Debian 9 stretch, these problems have been fixed in version 1.0.9+dfsg-1~deb9u1.
We recommend that you upgrade your clamav packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.