Multiple ClamAV Vulnerabilities Let Remote Attackers Crash Cisco Endpoint Scanning
Cisco has disclosed multiple ClamAV vulnerabilities that can allow an unauthenticated remote attacker to crash antivirus scanning and cause a denial-of-service condition on affected systems.
The flaws were published in the Cisco ClamAV security advisory on July 1, 2026. They affect Cisco Secure Endpoint Connector deployments for Windows, Linux, and Mac through vulnerable ClamAV components.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Cisco rates the impact as High for Windows connectors, with a CVSS score of 7.5. Linux and Mac connectors receive a Medium rating, with a CVSS score of 5.3.
What the ClamAV vulnerabilities allow
The vulnerabilities affect ClamAVโs handling of specially crafted files. An attacker can send a malformed file through email, a web download, a shared folder, or another delivery path that causes ClamAV to scan it.
When the vulnerable engine parses the file, the scanning process can terminate or consume resources. This can interrupt malware detection and leave the affected endpoint with reduced protection until the service or system recovers.
On Windows, Cisco says successful exploitation can make the endpoint unresponsive and require manual intervention, such as a reboot. On Linux and Mac, the more likely impact is disruption of scanning rather than full system instability.
| Product | Impact rating | CVSS score | First fixed release |
|---|---|---|---|
| Cisco Secure Endpoint Connector for Windows | High | 7.5 | 8.6.2 |
| Cisco Secure Endpoint Connector for Linux | Medium | 5.3 | 1.29.0 |
| Cisco Secure Endpoint Connector for Mac | Medium | 5.3 | 1.27.2 |
| Cisco Secure Endpoint Private Cloud | Not vulnerable | 0.0 | 4.2.8 and later |
Seven CVEs affect ClamAV file parsers
The advisory covers seven vulnerabilities tracked as CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20216, CVE-2026-20217, CVE-2026-20243, and CVE-2026-20244.
The issues affect parser and unpacking code for file formats such as PE, FSG, 7z, InstallShield, PESpin, ALZ, and DMG. The ClamAV documentation describes the engine as a cross-platform antivirus toolkit that supports many file formats, archives, executables, and signature types.
That broad file support is useful for malware detection, but it also means ClamAV must safely inspect large amounts of untrusted content. Parser bugs in this layer can affect the reliability of the security tool itself.
- CVE-2026-20213 affects PE parsing and Aspack-packed PE files.
- CVE-2026-20214 affects the FSG unpacker.
- CVE-2026-20215 affects 7z archive parsing.
- CVE-2026-20216 affects InstallShield archive handling.
- CVE-2026-20217 affects PESpin unpacking.
- CVE-2026-20243 affects ALZ archive handling.
- CVE-2026-20244 affects DMG parsing on 32-bit builds.
ClamAV 1.5.3 and 1.4.5 contain upstream fixes
Cisco Talos has also released fixed upstream ClamAV versions. The ClamAV release notes list ClamAV 1.5.3 and 1.4.5 as patch releases that fix the July 2026 vulnerabilities.
Several issues affect older versions going back many years. For example, the FSG unpacker issue affects versions as far back as 2004, while the PESpin issue affects versions as far back as 2005.
The DMG vulnerability has a narrower scope. It affects 32-bit ClamAV builds from 0.98.1 through 1.5.2, including supported 1.4.x and 1.5.x builds, but it does not affect 64-bit builds.
| CVE | Affected component | Potential result |
|---|---|---|
| CVE-2026-20213 | PE parser | Heap buffer overflow write from malformed Aspack-packed PE content |
| CVE-2026-20214 | FSG unpacker | Out-of-bounds write while scanning malformed PE files |
| CVE-2026-20215 | 7z parser | Out-of-bounds write from malformed archive metadata |
| CVE-2026-20216 | InstallShield parser | Temporary storage exhaustion during archive extraction |
| CVE-2026-20217 | PESpin unpacker | Scanner crash during cleanup |
| CVE-2026-20243 | ALZ parser | Scanner abort or scan-limit handling failure |
| CVE-2026-20244 | DMG parser on 32-bit builds | Scanner crash from malformed DMG content |
Why Windows connectors face higher impact
The Windows connector receives the highest rating because exploitation can affect endpoint responsiveness. A crashed or stalled security engine can interrupt normal endpoint use and reduce protection during recovery.
Linux and Mac deployments still face risk, but Cisco rates their impact lower because exploitation usually disrupts scanning rather than the entire operating system.
Cisco also notes that similar historical ClamAV flaws have had broader impact in some cases when process privileges and platform protections were weaker. For this advisory, the confirmed impact centers on denial of service and scanning disruption.
No workaround is available
The Cisco advisory says there are no workarounds for these vulnerabilities. Customers need to install the fixed connector versions for their operating systems.
Administrators should update Windows connectors to 8.6.2, Linux connectors to 1.29.0, and Mac connectors to 1.27.2. They should also verify that every endpoint actually moved to the fixed release after deployment.
Cisco Secure Endpoint Private Cloud is listed as not vulnerable, but organizations using it should still make sure managed endpoints receive updated connectors. The management platform itself does not remove the need to patch vulnerable endpoint software.
- Identify all Cisco Secure Endpoint Connector deployments.
- Prioritize Windows systems because Cisco rates them High severity.
- Update Linux and Mac connectors to their fixed versions.
- Confirm successful installation across all endpoints.
- Monitor for connector crashes, missing telemetry, or repeated service restarts.
- Review file intake points for malformed archive or executable files.
What standalone ClamAV users should do
The issue also matters for organizations that run standalone ClamAV or products that embed the engine. The ClamAV project is widely used for mail gateway scanning, file scanning, signature-based malware detection, and archive inspection.
Standalone users should update to fixed builds where available. The Cisco Talos release page identifies ClamAV 1.5.3 and 1.4.5 as patch releases for the affected code paths.
Linux distribution users should also check vendor package advisories. Some distributions backport security fixes without changing to the exact upstream version number.
| Environment | Recommended action |
|---|---|
| Cisco Secure Endpoint on Windows | Upgrade to connector 8.6.2 and confirm endpoint health |
| Cisco Secure Endpoint on Linux | Upgrade to connector 1.29.0 and check scanner telemetry |
| Cisco Secure Endpoint on Mac | Upgrade to connector 1.27.2 and verify deployment status |
| Standalone ClamAV | Install fixed ClamAV builds or distribution-provided patched packages |
| Mail gateways and file scanners | Monitor scan failures, crashes, queues, and delayed processing |
Why the vulnerabilities matter
These vulnerabilities do not need authentication, and they can be triggered remotely when a crafted file reaches a scanner. That makes exposed file intake paths important, including email systems, web uploads, shared drives, and download folders.
A denial-of-service flaw in an antivirus engine can still create a meaningful security gap. If scanning fails at the wrong moment, a second malicious file may have a better chance of slipping through.
Security teams should treat scanner availability as part of endpoint protection. If the tool that checks files keeps crashing, the organization loses visibility and protection even without a traditional malware infection.
How defenders can monitor for exploitation attempts
Detection should focus on scanner health and file processing failures. Teams should look for repeated ClamAV crashes, service restarts, unresponsive endpoints, or sudden gaps in endpoint telemetry.
Administrators should also review logs from mail gateways, upload systems, and file shares. A pattern of malformed PE, 7z, InstallShield, ALZ, DMG, FSG, or PESpin content may indicate probing or attempted exploitation.
After patching, teams should keep monitoring for failed scans because old connector versions may remain on offline or unmanaged endpoints. A successful rollout requires both deployment and verification.
| Signal | Why it matters |
|---|---|
| Repeated scanner crashes | May indicate crafted files are triggering vulnerable parsing paths |
| Endpoint becomes unresponsive | Matches the higher-impact Windows scenario described by Cisco |
| Missing security telemetry | Can show that protection or reporting failed after a crash |
| Backlogged mail or file scanning | May show scanning interruption in gateway environments |
| Old connector versions | Indicates vulnerable systems remain in the environment |
The bottom line
The July 2026 ClamAV vulnerabilities show why security engines need the same patching urgency as other critical infrastructure software. Antivirus tools process hostile files by design, so parser bugs can quickly become operational risks.
For Cisco Secure Endpoint customers, the path is clear. Update affected connectors, confirm the fixed versions, and watch for systems that failed to report after the rollout.
For standalone ClamAV users, fixed upstream releases are available. Organizations should update quickly, especially on systems that scan email, uploads, archives, and files from untrusted sources.
FAQ
The July 2026 ClamAV vulnerabilities are seven flaws in file parsing and resource handling code. They are tracked as CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20216, CVE-2026-20217, CVE-2026-20243, and CVE-2026-20244.
The affected Cisco products are Cisco Secure Endpoint Connector for Windows, Cisco Secure Endpoint Connector for Linux, and Cisco Secure Endpoint Connector for Mac. Cisco Secure Endpoint Private Cloud is listed as not vulnerable, but managed endpoints still need updated connectors.
Yes. Cisco says an unauthenticated remote attacker can exploit the vulnerabilities by sending crafted files that are scanned by ClamAV on an affected system. Successful exploitation can crash the scanning process and cause a denial-of-service condition.
No. Cisco says there are no workarounds for these vulnerabilities. Organizations should install the fixed Cisco Secure Endpoint Connector versions or update standalone ClamAV deployments to patched builds.
Cisco lists Windows Connector 8.6.2, Linux Connector 1.29.0, and Mac Connector 1.27.2 as the first fixed releases. Standalone ClamAV users should update to fixed builds such as ClamAV 1.5.3 or 1.4.5 where appropriate.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages