Skip to content
Malware

Multiple ClamAV Vulnerabilities Allow Remote Attacker to Cause a DoS Condition

Multiple high-severity vulnerabilities in Cisco’s ClamAV engine allow remote attackers to crash the antivirus scanning process, causing a denial-of-service (DoS) on affected Cisco Secure Endpoint Connector deployments. The flaws affect Windows, Linux, and macOS, with the highest impact on Windows, w...

· Jul 02, 2026 · 3 min read · 👁 0 views
Multiple ClamAV Vulnerabilities Allow Remote Attacker to Cause a DoS Condition


Multiple high-severity vulnerabilities in Cisco’s ClamAV engine allow remote attackers to crash the antivirus scanning process, causing a denial-of-service (DoS) on affected Cisco Secure Endpoint Connector deployments.

The flaws affect Windows, Linux, and macOS, with the highest impact on Windows, where they are rated High (CVSS 7.5) because the ClamAV scanning process runs with higher privileges and a crash can directly impact endpoint stability.

On Linux and macOS, the Security Impact Rating is Medium, as ClamAV typically runs with reduced privileges and DoS primarily disrupts scanning rather than the whole system.

Cisco clarifies that Secure Endpoint Private Cloud is not directly vulnerable. However, the connectors distributed from it inherit the ClamAV flaws and must be updated.

The vulnerabilities are rooted in improper memory handling, boundary checks, and resource management in multiple ClamAV file format parsers, including PE, FSG, 7z, InstallShield, PESpin, ALZ, and DMG.

ClamAV Vulnerabilities

An unauthenticated attacker can craft malformed files in these formats and deliver them to an endpoint via email, web download, or file share so that ClamAV scans the content.

When the engine parses the malicious file, bugs such as out-of-bounds writes, memory overreads, and integer overflows on 32-bit platforms can cause the ClamAV process to terminate and temporarily consume system resources, resulting in a DoS condition.

Cisco published advisory cisco-sa-clamav-88cFYyxR on July 1, 2026, warning that similar ClamAV parsing vulnerabilities have previously disrupted scanning operations and, in some cases, caused scans to fail.

Achieve remote code execution when process privileges and platform protections were weaker, underscoring the risk of flaws in security engines that routinely process untrusted input.

Cisco notes that the impact varies by product and platform implementation but confirms exposure for the Secure Endpoint Connector on Linux, Mac, and Windows, all of which use vulnerable ClamAV components.

Windows connectors receive a High rating (CVSS 7.5) successful exploitation can make the endpoint unresponsive, requiring manual intervention such as a reboot.

Linux and Mac connectors receive a medium rating exploitation will still terminate the scanning engine and delay or block malware detection, but usually does not destabilize the entire operating system.

Previous regional advisories and vendor notices on ClamAV DoS issues show a consistent pattern. Once the scan process crashes, the device loses antivirus coverage until the service restarts or the system is recovered.

Cisco reports that there are no practical workarounds for these ClamAV vulnerabilities, leaving patching as the only durable mitigation.

Updated Secure Endpoint Connector releases are available via the Cisco Secure Endpoint portal. Affected customers are urged to upgrade to the documented fixed versions for Windows, Linux, and Mac as part of normal content and software update cycles.

Security teams should also review associated Cisco bug IDs and CVE entries for specific build numbers and deployment guidance, and ensure endpoints have sufficient resources before upgrading.

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Recommended for you