Multiple ClamAV Vulnerabilities Let Remote Attackers Crash Cisco Endpoint Scanning


Cisco has disclosed multiple ClamAV vulnerabilities that can allow an unauthenticated remote attacker to crash antivirus scanning and cause a denial-of-service condition on affected systems.

The flaws were published in the Cisco ClamAV security advisory on July 1, 2026. They affect Cisco Secure Endpoint Connector deployments for Windows, Linux, and Mac through vulnerable ClamAV components.

Cisco rates the impact as High for Windows connectors, with a CVSS score of 7.5. Linux and Mac connectors receive a Medium rating, with a CVSS score of 5.3.

What the ClamAV vulnerabilities allow

The vulnerabilities affect ClamAVโ€™s handling of specially crafted files. An attacker can send a malformed file through email, a web download, a shared folder, or another delivery path that causes ClamAV to scan it.

When the vulnerable engine parses the file, the scanning process can terminate or consume resources. This can interrupt malware detection and leave the affected endpoint with reduced protection until the service or system recovers.

On Windows, Cisco says successful exploitation can make the endpoint unresponsive and require manual intervention, such as a reboot. On Linux and Mac, the more likely impact is disruption of scanning rather than full system instability.

ProductImpact ratingCVSS scoreFirst fixed release
Cisco Secure Endpoint Connector for WindowsHigh7.58.6.2
Cisco Secure Endpoint Connector for LinuxMedium5.31.29.0
Cisco Secure Endpoint Connector for MacMedium5.31.27.2
Cisco Secure Endpoint Private CloudNot vulnerable0.04.2.8 and later

Seven CVEs affect ClamAV file parsers

The advisory covers seven vulnerabilities tracked as CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20216, CVE-2026-20217, CVE-2026-20243, and CVE-2026-20244.

The issues affect parser and unpacking code for file formats such as PE, FSG, 7z, InstallShield, PESpin, ALZ, and DMG. The ClamAV documentation describes the engine as a cross-platform antivirus toolkit that supports many file formats, archives, executables, and signature types.

That broad file support is useful for malware detection, but it also means ClamAV must safely inspect large amounts of untrusted content. Parser bugs in this layer can affect the reliability of the security tool itself.

  • CVE-2026-20213 affects PE parsing and Aspack-packed PE files.
  • CVE-2026-20214 affects the FSG unpacker.
  • CVE-2026-20215 affects 7z archive parsing.
  • CVE-2026-20216 affects InstallShield archive handling.
  • CVE-2026-20217 affects PESpin unpacking.
  • CVE-2026-20243 affects ALZ archive handling.
  • CVE-2026-20244 affects DMG parsing on 32-bit builds.

ClamAV 1.5.3 and 1.4.5 contain upstream fixes

Cisco Talos has also released fixed upstream ClamAV versions. The ClamAV release notes list ClamAV 1.5.3 and 1.4.5 as patch releases that fix the July 2026 vulnerabilities.

Several issues affect older versions going back many years. For example, the FSG unpacker issue affects versions as far back as 2004, while the PESpin issue affects versions as far back as 2005.

The DMG vulnerability has a narrower scope. It affects 32-bit ClamAV builds from 0.98.1 through 1.5.2, including supported 1.4.x and 1.5.x builds, but it does not affect 64-bit builds.

CVEAffected componentPotential result
CVE-2026-20213PE parserHeap buffer overflow write from malformed Aspack-packed PE content
CVE-2026-20214FSG unpackerOut-of-bounds write while scanning malformed PE files
CVE-2026-202157z parserOut-of-bounds write from malformed archive metadata
CVE-2026-20216InstallShield parserTemporary storage exhaustion during archive extraction
CVE-2026-20217PESpin unpackerScanner crash during cleanup
CVE-2026-20243ALZ parserScanner abort or scan-limit handling failure
CVE-2026-20244DMG parser on 32-bit buildsScanner crash from malformed DMG content

Why Windows connectors face higher impact

The Windows connector receives the highest rating because exploitation can affect endpoint responsiveness. A crashed or stalled security engine can interrupt normal endpoint use and reduce protection during recovery.

Linux and Mac deployments still face risk, but Cisco rates their impact lower because exploitation usually disrupts scanning rather than the entire operating system.

Cisco also notes that similar historical ClamAV flaws have had broader impact in some cases when process privileges and platform protections were weaker. For this advisory, the confirmed impact centers on denial of service and scanning disruption.

No workaround is available

The Cisco advisory says there are no workarounds for these vulnerabilities. Customers need to install the fixed connector versions for their operating systems.

Administrators should update Windows connectors to 8.6.2, Linux connectors to 1.29.0, and Mac connectors to 1.27.2. They should also verify that every endpoint actually moved to the fixed release after deployment.

Cisco Secure Endpoint Private Cloud is listed as not vulnerable, but organizations using it should still make sure managed endpoints receive updated connectors. The management platform itself does not remove the need to patch vulnerable endpoint software.

  • Identify all Cisco Secure Endpoint Connector deployments.
  • Prioritize Windows systems because Cisco rates them High severity.
  • Update Linux and Mac connectors to their fixed versions.
  • Confirm successful installation across all endpoints.
  • Monitor for connector crashes, missing telemetry, or repeated service restarts.
  • Review file intake points for malformed archive or executable files.

What standalone ClamAV users should do

The issue also matters for organizations that run standalone ClamAV or products that embed the engine. The ClamAV project is widely used for mail gateway scanning, file scanning, signature-based malware detection, and archive inspection.

Standalone users should update to fixed builds where available. The Cisco Talos release page identifies ClamAV 1.5.3 and 1.4.5 as patch releases for the affected code paths.

Linux distribution users should also check vendor package advisories. Some distributions backport security fixes without changing to the exact upstream version number.

EnvironmentRecommended action
Cisco Secure Endpoint on WindowsUpgrade to connector 8.6.2 and confirm endpoint health
Cisco Secure Endpoint on LinuxUpgrade to connector 1.29.0 and check scanner telemetry
Cisco Secure Endpoint on MacUpgrade to connector 1.27.2 and verify deployment status
Standalone ClamAVInstall fixed ClamAV builds or distribution-provided patched packages
Mail gateways and file scannersMonitor scan failures, crashes, queues, and delayed processing

Why the vulnerabilities matter

These vulnerabilities do not need authentication, and they can be triggered remotely when a crafted file reaches a scanner. That makes exposed file intake paths important, including email systems, web uploads, shared drives, and download folders.

A denial-of-service flaw in an antivirus engine can still create a meaningful security gap. If scanning fails at the wrong moment, a second malicious file may have a better chance of slipping through.

Security teams should treat scanner availability as part of endpoint protection. If the tool that checks files keeps crashing, the organization loses visibility and protection even without a traditional malware infection.

How defenders can monitor for exploitation attempts

Detection should focus on scanner health and file processing failures. Teams should look for repeated ClamAV crashes, service restarts, unresponsive endpoints, or sudden gaps in endpoint telemetry.

Administrators should also review logs from mail gateways, upload systems, and file shares. A pattern of malformed PE, 7z, InstallShield, ALZ, DMG, FSG, or PESpin content may indicate probing or attempted exploitation.

After patching, teams should keep monitoring for failed scans because old connector versions may remain on offline or unmanaged endpoints. A successful rollout requires both deployment and verification.

SignalWhy it matters
Repeated scanner crashesMay indicate crafted files are triggering vulnerable parsing paths
Endpoint becomes unresponsiveMatches the higher-impact Windows scenario described by Cisco
Missing security telemetryCan show that protection or reporting failed after a crash
Backlogged mail or file scanningMay show scanning interruption in gateway environments
Old connector versionsIndicates vulnerable systems remain in the environment

The bottom line

The July 2026 ClamAV vulnerabilities show why security engines need the same patching urgency as other critical infrastructure software. Antivirus tools process hostile files by design, so parser bugs can quickly become operational risks.

For Cisco Secure Endpoint customers, the path is clear. Update affected connectors, confirm the fixed versions, and watch for systems that failed to report after the rollout.

For standalone ClamAV users, fixed upstream releases are available. Organizations should update quickly, especially on systems that scan email, uploads, archives, and files from untrusted sources.

FAQ

What are the July 2026 ClamAV vulnerabilities?

The July 2026 ClamAV vulnerabilities are seven flaws in file parsing and resource handling code. They are tracked as CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20216, CVE-2026-20217, CVE-2026-20243, and CVE-2026-20244.

Which Cisco products are affected by the ClamAV vulnerabilities?

The affected Cisco products are Cisco Secure Endpoint Connector for Windows, Cisco Secure Endpoint Connector for Linux, and Cisco Secure Endpoint Connector for Mac. Cisco Secure Endpoint Private Cloud is listed as not vulnerable, but managed endpoints still need updated connectors.

Can a remote attacker exploit these ClamAV flaws without authentication?

Yes. Cisco says an unauthenticated remote attacker can exploit the vulnerabilities by sending crafted files that are scanned by ClamAV on an affected system. Successful exploitation can crash the scanning process and cause a denial-of-service condition.

Are workarounds available for the July 2026 ClamAV vulnerabilities?

No. Cisco says there are no workarounds for these vulnerabilities. Organizations should install the fixed Cisco Secure Endpoint Connector versions or update standalone ClamAV deployments to patched builds.

Which versions fix the Cisco Secure Endpoint Connector issue?

Cisco lists Windows Connector 8.6.2, Linux Connector 1.29.0, and Mac Connector 1.27.2 as the first fixed releases. Standalone ClamAV users should update to fixed builds such as ClamAV 1.5.3 or 1.4.5 where appropriate.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages