CVE-2025-20260

CRITICAL

ClamAV < 1.0.9 - Heap-based Buffer Overflow in PDF Scanner

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-20260. PoCs published by Alex-Acero-Security, keyuraghao.

AI-analyzed exploit summary The repository contains a functional Python script that generates a malicious PDF file exploiting a buffer overflow in ClamAV's PDF scanning process (CVE-2025-20260). The exploit leverages an ASCII85-encoded stream with an excessively large length field to trigger the vulnerability.

Description

A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.

Exploits (2)

github WORKING POC

by Alex-Acero-Security · pythonpoc

https://github.com/Alex-Acero-Security/CVE-2025-20260-POC

View Code ZIP pw:eip

The repository contains a functional Python script that generates a malicious PDF file exploiting a buffer overflow in ClamAV's PDF scanning process (CVE-2025-20260). The exploit leverages an ASCII85-encoded stream with an excessively large length field to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ClamAV (PDF scanning component)

No auth needed

Prerequisites: ability to deliver a crafted PDF file to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 18, 2026 Full analysis →

nomisec WORKING POC

by keyuraghao · poc

https://github.com/keyuraghao/CVE-2025-20260

View Code ZIP pw:eip

This PoC generates a malicious PDF file exploiting CVE-2025-20260, targeting ClamAV's ASCII85Decode filter with an oversized length field to trigger a buffer overflow. The script constructs a PDF with an intentionally malformed ASCII85 stream to exploit a vulnerability in ClamAV's parsing logic.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: ClamAV (version not specified)

No auth needed

Prerequisites: ClamAV installation vulnerable to CVE-2025-20260

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/09/msg00006.html

Vendor Advisory

https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html

Scores

CVSS v3 9.8

EPSS 0.0123

EPSS Percentile 79.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-122

Status published

Products (1)

clamav/clamav < 1.0.9

Published Jun 18, 2025

Tracked Since Feb 18, 2026