ClamAV 1.5.3 and 1.4.5 Fix Seven Scanner Bugs

ClamAV 1.5.3 and 1.4.5 patch seven scanner vulnerabilities affecting malware-scanning deployments, including Cisco Secure Endpoint connectors.

ClamAV administrators have a new patch window to close: the project has published ClamAV 1.5.3 and 1.4.5 with fixes for seven CVE-tracked scanner bugs in packers, archive parsers, and a 32-bit DMG parser path.[1] The update matters because ClamAV is often placed directly in the path of untrusted files: mail attachments, upload portals, sandbox queues, endpoint tooling, and CI or malware-analysis pipelines.

The seven issues are tracked as CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20216, CVE-2026-20217, CVE-2026-20243, and CVE-2026-20244. Several affect ClamAV 1.5.2, 1.4.4, and older releases stretching back many years, with the project noting vulnerable code paths as old as 2004, 2005, 2007, and 2009 depending on the parser or unpacker.[1]

Cisco’s separate advisory for Cisco products rates the set as high impact on Windows-based platforms because the ClamAV scanning process can run in a privileged security context there. Cisco lists Linux and Mac impact as medium where the scanner runs with lower privileges, and says software updates are available with no workaround that fully addresses the vulnerabilities.[2]

Who should update ClamAV now

The practical priority is not only desktop antivirus use. Teams should inventory ClamAV in mail gateways, file-upload scanning services, container images, SOAR enrichment jobs, and endpoint connectors. If a scanner automatically opens user-supplied archives or executables, malformed samples can become a denial-of-service or memory-corruption problem in a security control that is supposed to reduce risk.

The ClamAV notes describe multiple parser and unpacker classes. One bug can crash the scanner through the PESpin unpacker cleanup path. Another involves PE rebuild size calculations for malformed Aspack-packed files. Other fixes cover InstallShield archive extraction limits, FSG unpacking, ALZ archive handling, 7z substream metadata, and a 32-bit DMG parser crash condition.[1]

For defenders, the first check is version coverage: production scanners should move to 1.5.3 or 1.4.5, and older pinned packages should be reviewed in distribution repositories, Docker images, appliances, and EDR connector bundles. If your organization recently treated Microsoft Defender patching as an endpoint emergency, treat ClamAV the same way when it sits in front of business-critical file flows.

Administrators should also check how ClamAV is isolated. A scanner that runs as root or as a high-privilege service account gives a malformed file more room to hurt operations. Prefer a dedicated low-privilege account, strict temporary-directory limits, container or systemd sandboxing where possible, and monitoring for repeated scanner crashes, queue growth, or exhausted temporary storage.

The update is also a reminder that file intake security is layered. A scanner helps, but upload pipelines still need file-size limits, archive-depth limits, quarantine separation, and logging around rejected or timed-out scans. That context matters for web apps too: old file-upload vulnerability research showed how fragile upload handling becomes when parsing, storage, and validation are treated as one trusted step.

Home users do not need to panic over the CVE list, but anyone running ClamAV directly should update from official packages or containers rather than copying random builds. For manual checks, the simple goal is to confirm that clamscan --version, service banners, package managers, and container tags no longer report 1.5.2, 1.4.4, or older affected branches. If you need a lightweight second opinion on a file, a separate service such as the GridinSoft Online Virus Scanner can be useful, but it should not replace patching a scanner that processes files automatically.

References

  1. ClamAV Blog. “ClamAV 1.5.3 and 1.4.5 security patch versions published.” July 1, 2026. https://blog.clamav.net/2026/07/clamav-153-and-145-security-patch.html
  2. Cisco Security Advisory. “ClamAV Vulnerabilities Affecting Cisco Products: July 2026.” First published July 1, 2026; updated July 2, 2026. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR
  3. Help Net Security. “New ClamAV security patch closes seven scanner bugs dating back two decades.” July 6, 2026. https://www.helpnetsecurity.com/2026/07/06/clamav-security-patch-versions/

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment