Cisco has released critical security updates for its ClamAV open-source antivirus engine, patching seven vulnerabilities, including some that have persisted in the codebase for nearly two decades. The updates address multiple memory corruption and heap-based buffer overflow flaws that could allow an unauthenticated attacker to trigger a denial-of-service (DoS) or potentially execute arbitrary code on affected systems.
Which ClamAV Versions Are Affected?
The security patches, detailed in the official Cisco Talos security advisory, apply to ClamAV versions 1.3.1, 1.2.3, and 1.0.6. The vulnerabilities primarily affect the engine’s ability to process various file formats, including CHM, ARJ, and WMF files.
Cisco confirmed that the most severe of these bugs—specifically those involving the parsing of ARJ and WMF files—have been present in the software since approximately 2005. Because ClamAV is widely integrated into mail gateways, file servers, and endpoint protection solutions, these legacy vulnerabilities represent a significant risk to enterprise environments that rely on the software for real-time threat detection.
What Are the Primary Vulnerabilities?
The seven vulnerabilities center on how the engine handles malformed or maliciously crafted files. According to Cisco, the flaws include:
- CVE-2024-20328: A heap-based buffer overflow in the ARJ parser that could lead to code execution.
- CVE-2024-20329: An out-of-bounds read in the ARJ parser.
- CVE-2024-20330: An out-of-bounds read affecting the WMF file parser.
- CVE-2024-20331: A vulnerability related to the CHM file parser.
These bugs typically trigger crashes within the clamd process. In an enterprise setting, if an attacker sends a specially crafted file through an email gateway protected by an unpatched version of ClamAV, the antivirus engine might crash, effectively bypassing security filters and allowing subsequent malicious traffic to pass through unchecked.
How Do These Bugs Compare to Previous Disclosures?
The discovery of 20-year-old vulnerabilities highlights a recurring challenge in open-source security: "technical debt" within legacy parsers. While many modern security tools undergo frequent fuzzing and automated vulnerability scanning, older, rarely modified components of a codebase often escape scrutiny for years.

By comparison, Cisco’s recent disclosure follows a pattern of iterative hardening. Unlike the high-profile Log4j vulnerability, which required a massive global response due to its ubiquity, these ClamAV bugs are localized to the engine’s specific file-parsing logic. However, the age of these bugs serves as a reminder that even mature, widely-deployed security software can harbor long-standing flaws that only surface as modern fuzzing techniques improve.
How Can Administrators Protect Their Systems?
Cisco strongly recommends that all administrators update their ClamAV installations to the latest versions immediately.
- Check your version: Run
clamd --versionon your server to determine if you are running an affected build. - Apply patches: Download the latest versions from the official ClamAV website.
- Verify updates: After updating, restart the
clamdservice to ensure the new libraries are loaded into memory.
For organizations that cannot patch immediately, Cisco suggests monitoring for unexpected crashes of the clamd process, which may indicate an attempt to exploit these vulnerabilities. Future security integrity depends on regular updates, as legacy parsers remain a primary target for attackers looking for stable, long-term points of entry into network infrastructure.