Today, we are publishing the 1.4.2 and 1.0.8 security patch versions. The release files for the patch versions are available for download on the ClamAV downloads page, on the GitHub Release page, and through Docker Hub. The images on Docker Hub may not be immediately available on release day. Continue reading to learn what changed in each version.
1.4.2
ClamAV 1.4.2 is a patch release with the following fixes:- CVE-2025-20128: Fixed a possible buffer overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition.
This issue was introduced in version 1.0.0 and affects all currently supported versions. It will be fixed in: 1.4.2 and 1.0.8
Thank you to OSS-Fuzz for identifying this issue.
1.0.8
ClamAV 1.0.8 is a patch release with the following fixes:- CVE-2025-20128: Fixed a possible buffer overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition.
This issue was introduced in version 1.0.0 and affects all currently supported versions. It will be fixed in: 1.4.2 and 1.0.8
Thank you to OSS-Fuzz for identifying this issue. - ClamOnAcc: Fixed an infinite loop when a watched directory does not exist. This is a backport of a fix from ClamAV 1.3.0.
