CVE-2025-20260

CVE-2025-20260 is a critical-severity vulnerability in Clamav with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-122.

Key facts

Description

A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.

Frequently asked questions

What is CVE-2025-20260?
A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.
How severe is CVE-2025-20260?
CVE-2025-20260 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2025-20260 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (72nd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-20260?
CVE-2025-20260 affects Clamav. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-20260?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2025-20260 have an EU (EUVD) identifier?
Yes. CVE-2025-20260 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-18658.
When was CVE-2025-20260 published?
CVE-2025-20260 was published on 2025-06-18 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Clamav

All CVEs affecting Clamav →

Other CWE-122 (Heap-based Buffer Overflow) vulnerabilities

Browse all CWE-122 (Heap-based Buffer Overflow) vulnerabilities →