Click Icon to Copy Verbose Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X
-
Multiple vulnerabilities in ClamAV could allow a remote attacker to cause a denial of service (DoS) condition, interrupting scanning operations.
For more information about these vulnerabilities, see the Details section of this advisory.
For additional information on these vulnerabilities in ClamAV, see the ClamAV blog.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Notes:
- The Security Impact Rating (SIR) for these vulnerabilities is High for Windows-based platforms only because those platforms run the ClamAV scanning process in a privileged security context. The platforms that are highly impacted include Cisco Secure Endpoint Connector for Windows.
- The SIR for these vulnerabilities is Medium on other platforms, including Linux and Mac platforms, because those platforms run the ClamAV scanning process in a lower-privileged security context. The affected platforms include Secure Endpoint Connector for Linux and Mac.
- Cisco Secure Endpoint Private Cloud itself is not impacted by these vulnerabilities. However, the Cisco Secure Endpoint Connector software that is distributed from the device is impacted.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR
-
Vulnerable Products
The following table lists Cisco products that are affected by the vulnerabilities that are described in this advisory. Customers should refer to the associated Cisco bug IDs for further details.
Affected Cisco Software Platform CVSS Base Score Security Impact Rating Cisco Bug ID First Fixed Release Secure Endpoint Connector for Linux 5.3 Medium CSCwt81503 1.29.0 Secure Endpoint Connector for Mac 5.3 Medium CSCwt81504 1.27.2 Secure Endpoint Connector for Windows 7.5 High CSCwt81501 8.6.2 Secure Endpoint Private Cloud 0.0 No impact CSCwu55927 4.2.8 and later Cisco products may be impacted differently depending on implementation and usage of ClamAV. For information on the effects of these vulnerabilities on specific Cisco products, see the Details section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:
- Secure Email Gateway
- Secure Web Gateway
-
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
Details about the vulnerabilities are as follows:
CVE-2026-20216: ClamAV InstallShield File Parsing DoS Vulnerability
A vulnerability in the InstallShield file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device.
This vulnerability is due to improper handling of temporary resources during file scanning. An attacker could exploit this vulnerability by submitting a crafted InstallShield file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process and temporarily consume available system resources, resulting in a DoS condition on the affected software.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE ID: CVE-2026-20216
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HClamAV Memory Corruption Vulnerabilities
The following vulnerabilities, which have a SIR on ClamAV, affect Linux, Mac, and Windows-based platforms that are using ClamAV.
If an attacker exploits any of this class of vulnerability against affected devices that use Cisco Secure Endpoint Connector for Windows, the scanning engine process could be terminated and cause a DoS condition because the endpoint may become unresponsive and require manual intervention, such as a system reboot, to recover.
On Windows-based platforms, attackers have used similar vulnerabilities to achieve remote code execution. However, no evidence exists proving the potential for remote code execution for the vulnerabilities that are described in this advisory. In most circumstances, platform and memory protections prevent practical exploitation of these vulnerabilities for code execution, especially on systems with modern 64-bit architecture. Systems that are running legacy 32-bit Windows platforms are at higher risk for successful exploitation.
On Cisco Secure Endpoint Connector for Linux and Mac, the SIR is Medium. Exploitation of these vulnerabilities could cause the scanning engine process to terminate, delaying or preventing further scanning operations. However, overall system stability is not affected.
For information about vulnerability scoring and SIRs, see the Security Risk Assessment section of the Cisco Security Vulnerability Policy.
Cisco Secure Endpoint Connector, which is distributed from Cisco Secure Endpoint Private Cloud, is affected by these vulnerabilities. Cisco Secure Endpoint Private Cloud itself is not affected.
CVE-2026-20213: ClamAV PE File Format Processing Memory Corruption Vulnerability
A vulnerability in the PE file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.
This vulnerability is due to improper boundary checks for content in PE files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PE content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE ID: CVE-2026-20213
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCVE-2026-20214: ClamAV FSG File Format Processing Memory Corruption Vulnerability
A vulnerability in the FSG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.
This vulnerability is due to improper boundary checks for content in FSG files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains portable executable content compressed with FSG to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE ID: CVE-2026-20214
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCVE-2026-20215: ClamAV 7z File Format Processing Memory Corruption Vulnerability
A vulnerability in the 7z file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.
This vulnerability is due to improper boundary checks for content in 7z files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains 7z content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE ID: CVE-2026-20215
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCVE-2026-20217: ClamAV PESpin File Format Processing Memory Corruption Vulnerability
A vulnerability in the PESpin file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.
This vulnerability is due to improper boundary checks for content in PESpin files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PESpin content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE ID: CVE-2026-20217
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCVE-2026-20243: ClamAV ALZ File Format Processing Memory Corruption Vulnerability
A vulnerability in the ALZ file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.
This vulnerability is due to improper boundary checks for content in ALZ files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains ALZ content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE ID: CVE-2026-20243
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCVE-2026-20244: ClamAV DMG File Format Processing Memory Corruption Vulnerability
A vulnerability in the DMG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.
This vulnerability is due to improper boundary checks for content in DMG files during scanning, which may result in an integer overflow on 32-bit platforms only. An attacker could exploit this vulnerability by submitting a crafted file that contains DMG content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
CVE ID: CVE-2026-20244
Security Impact Rating (SIR): High
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
There are no workarounds that address these vulnerabilities.
-
Cisco considers any workarounds and mitigations (if applicable) to be temporary solutions until an upgrade to a fixed software release is available. To fully remediate these vulnerabilities and avoid future exposure as described in this advisory, Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.
Fixed Releases
Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table:
Cisco Product Cisco Bug ID Fixed Release Availability Secure Endpoint Connector for Linux CSCwt81503 1.29.01 Secure Endpoint Connector for Mac CSCwt81504 1.27.21 Secure Endpoint Connector for Windows CSCwt81501 8.6.21 Secure Endpoint Private Cloud CSCwu55927 4.2.8 and later2 1. Updated releases of Cisco Secure Endpoint Connector are available through the Cisco Secure Endpoint portal. Depending on the configured policy, Cisco Secure Endpoint Connector will automatically update.2. Affected releases of Cisco Secure Endpoint Connector clients for Cisco Secure Endpoint Private Cloud have been updated in the connector repository. Customers will get these connector updates through normal content update processes.The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
-
Cisco would like to thank the following people for reporting these vulnerabilities:
- David Pokora of Trail of Bits, working with Anthropic: CVE-2026-20213, CVE-2026-20214, and CVE-2026-20215
- Calif.io in collaboration with Claude and Anthropic Research: CVE-2026-20213
- Atuin - Automated Vulnerability Discovery Engine, Tianchu Chen of Tencent Xuanwu Lab: CVE-2026-20213 and CVE-2026-20217
- Niv Moshe working with TrendAI Zero Day Initiative: CVE-2026-20215
- Mizu: CVE-2026-20216
- Yazdan Soltani: CVE-2026-20243
- pawlok and barteq of the GetResponse Security Team: CVE-2026-20243
- Stanley John Tobias: CVE-2026-20244
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.0 Initial public release. — Final 2026-JUL-01
-
SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT
The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC). Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
When considering software upgrades, customers are advised to regularly consult the advisories for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
LEGAL DISCLAIMER DETAILS
CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy for more information.