Search for vulnerabilities
Vulnerability details: VCID-dyzw-mck7-p7bn
Vulnerability ID VCID-dyzw-mck7-p7bn
Aliases CVE-2025-20260
Summary A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-122 Heap-based Buffer Overflow
System Score Found at
epss 0.00138 https://api.first.org/data/v1/epss?cve=CVE-2025-20260
epss 0.00138 https://api.first.org/data/v1/epss?cve=CVE-2025-20260
cvssv3.1 9.8 https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
ssvc Track https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2025-20260
archlinux Critical https://security.archlinux.org/AVG-2903
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-20260
https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20260
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1108046 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108046
AVG-2903 https://security.archlinux.org/AVG-2903
CVE-2025-20260 https://nvd.nist.gov/vuln/detail/CVE-2025-20260
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-18T17:49:35Z/ Found at https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-20260
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.34629
EPSS Score 0.00138
Published At June 25, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-06-20T17:27:02.903612+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 36.1.3