Wednesday, July 1, 2026

ClamAV 1.5.3 and 1.4.5 security patch versions published

Today, we are publishing the 1.5.3 and 1.4.5 security patch versions.  

The release files for the patch versions are available for download on the ClamAV downloads page, on the GitHub Release page, and through Docker Hub with both Alpine and Debian containers. The images on Docker Hub may not be immediately available on release day. Continue reading to learn what changed in each version. 

1.5.3 

ClamAV 1.5.3 is a patch release with the following fixes:

  • CVE-2026-20217: Fixed a bug in the PESpin unpacker cleanup path that could free pointers into the scanned file buffer and crash the scanner.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2005. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Atuin - Automated Vulnerability Discovery Engine, Tianchu Chen of Tencent Xuanwu Lab for identifying this issue.

  • CVE-2026-20213: Fixed an integer overflow in PE rebuild size calculations that could be reached through a malformed Aspack-packed PE file and lead to a heap buffer overflow write.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2007. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Trail of Bits, in collaboration with Anthropic, for identifying this issue.

  • CVE-2026-20216: Fixed an InstallShield archive extraction limit bypass that could write far more temporary data than intended and exhaust temporary storage.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2009. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Mizu for identifying this issue.

  • CVE-2026-20214: Fixed an FSG unpacker loop underflow that could write past the section array while scanning a malformed PE file.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2004. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Trail of Bits, in collaboration with Anthropic, for identifying this issue.

  • CVE-2026-20243: Fixed ALZ parser size handling bugs that could cause malformed ALZ archives to panic, abort the scanner, or skip expected scan-limit handling.

    This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Yazdan Soltani for identifying this issue.

  • CVE-2026-20215: Fixed a 7z parser substream count overflow that could under-allocate parser metadata arrays and write past them while reading a malformed archive.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to 2009. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Trail of Bits, in collaboration with Anthropic, for identifying this issue.

  • CVE-2026-20244: Fixed 32-bit DMG parser size checks that could let a short mish stripe table pass validation and crash 32-bit scanner builds.

    This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2, including 1.4.0 through 1.4.4 and 1.5.0 through 1.5.2. It does not affect 64-bit builds. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Stanley John Tobias for identifying this issue.

  • Hardened clamscan, clamdscan, and clamonacc quarantine actions against time-of-check/time-of-use races that could redirect copied, moved, or removed files under unsafe quarantine directory configurations.

    Thank you to Hiroki Imai from Ricerca Security, Inc. for identifying this issue.

  • Upgraded the Rust tar dependency to resolve the RUSTSEC-2026-0067 and RUSTSEC-2026-0068 advisories, and upgraded the Rust openssl dependency to resolve CVE-2026-41676.

  • Raised the minimum required CMake version to 3.17 to fix Linux builds with libcurl v8.21.0 when linking static library dependencies.

  • Metadata preclass scans now run before the final scan verdict.

  • ClamOnAcc: Fixed errors when recursively excluded paths are children of an included path.

  • ClamOnAcc: Fixed hash bucket list corruption when two watched paths collide in the same bucket.

    These fixes are courtesy of sharkautarch.


1.4.5 

ClamAV 1.4.5 is a patch release with the following fixes:

  • CVE-2026-20217: Fixed a bug in the PESpin unpacker cleanup path that could free pointers into the scanned file buffer and crash the scanner.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2005. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Atuin - Automated Vulnerability Discovery Engine, Tianchu Chen of Tencent Xuanwu Lab for identifying this issue.

  • CVE-2026-20213: Fixed an integer overflow in PE rebuild size calculations that could be reached through a malformed Aspack-packed PE file and lead to a heap buffer overflow write.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2007. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Trail of Bits, in collaboration with Anthropic, for identifying this issue.

  • CVE-2026-20216: Fixed an InstallShield archive extraction limit bypass that could write far more temporary data than intended and exhaust temporary storage.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2009. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Mizu for identifying this issue.

  • CVE-2026-20214: Fixed an FSG unpacker loop underflow that could write past the section array while scanning a malformed PE file.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2004. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Trail of Bits, in collaboration with Anthropic, for identifying this issue.

  • CVE-2026-20243: Fixed ALZ parser size handling bugs that could cause malformed ALZ archives to panic, abort the scanner, or skip expected scan-limit handling.

    This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Yazdan Soltani for identifying this issue.

  • CVE-2026-20215: Fixed a 7z parser substream count overflow that could under-allocate parser metadata arrays and write past them while reading a malformed archive.

    This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to 2009. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Trail of Bits, in collaboration with Anthropic, for identifying this issue.

  • CVE-2026-20244: Fixed 32-bit DMG parser size checks that could let a short mish stripe table pass validation and crash 32-bit scanner builds.

    This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2, including 1.4.0 through 1.4.4 and 1.5.0 through 1.5.2. It does not affect 64-bit builds. The fix is included in 1.5.3 and 1.4.5.

    Thank you to Stanley John Tobias for identifying this issue.

  • Hardened clamscan, clamdscan, and clamonacc quarantine actions against time-of-check/time-of-use races that could redirect copied, moved, or removed files under unsafe quarantine directory configurations.

    Thank you to Hiroki Imai from Ricerca Security, Inc. for identifying this issue.

  • Raised the minimum required CMake version to 3.17 to fix Linux builds with libcurl v8.21.0 when linking static library dependencies.

  • ClamOnAcc: Fixed errors when recursively excluded paths are children of an included path.

    This fix is courtesy of sharkautarch.