ClamAV UDF File Parsing Out-of-Bounds Read Information Disclosure Vulnerability

TL;DR 📌

• A vulnerability in Universal Disk Format (UDF) processing of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to a memory overread during UDF file scanning. An attacker could exploit this vulnerability by submitting a crafted file containing UDF content to be scanned by ClamAV on…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20234.

What happened 🕵️‍♂️

Impacts of ClamAV DoS Vulnerability on Affected Platforms

This vulnerability, which has a Medium Security Impact Rating (SIR), affects Linux, Mac, and Windows-based platforms. Exploitation of the vulnerability could cause the scanning process to crash, delaying or preventing further scanning operations. However, overall system stability is not affected. See the Assessing Security Risk [“https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#asr”] section of the Cisco Security Vulnerability Policy for information about vulnerability scoring and SIRs.

Cisco Secure Endpoint Connector, which is distributed from Cisco Secure Endpoint Private Cloud, is affected by this vulnerability. Cisco Secure Endpoint Private Cloud is not affected.

Affected products 🖥️

The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. Customers should refer to the associated Cisco bug IDs for further details. Affected Cisco Software Platform CVSS Base Score Security Impact Rating Cisco Bug ID First Fixed Release Secure Endpoint Connector for Linux CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Medium CSCwo45640 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo45640”] 1.26.1 Secure Endpoint Connector for Mac CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Medium CSCwo45640 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo45640”] 1.26.1 Secure Endpoint Connector for Windows CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Medium CSCwo45640 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo45640”] 7.5.21 8.4.5 Secure Endpoint Private Cloud CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Medium CSCwo45640 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo45640”] 4.2.2 or earlier with updated connectors Cisco products may be impacted differently depending on implementation and usage of ClamAV. For information on the effects of this vulnerability on specific Cisco products, see the Details ["#details"] section of this advisory.

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Workarounds 🧯

There are no workarounds that address this vulnerability.

Risk in context 🎯

Use vendor CVSS for prioritization. Consider exposure and asset criticality.

Fast facts ⚡

• Advisory: cisco-sa-clamav-udf-hmwd9nDy
• Initial release: 2025-06-18T16:00:00 UTC
• Last updated: 2025-06-18T16:00:00 UTC

For leadership 🧭

Executive summary. Risk is Medium (CVSS 5.3) for Cisco, Cisco Secure Endpoint. Vendor fixes are available; prioritize upgrade within 30 days based on environment risk.

Why it matters (exposure drivers):

• Potential service impact and security exposure depend on deployment topology and access paths.
• Treat internet-exposed or multi-tenant management nodes as higher risk.
• Ensure monitoring for abnormal auth/config events until upgrades complete.

Remediation & timing:

• Upgrade to the first fixed release per the table above; schedule an approved change window within 30 days.
• Change risk: low-to-moderate (standard vendor patch). Validate backups and rollback plan.

Now / Next / Later:

• Now: Confirm exposure, identify affected versions, and enable monitoring/alerts.
• Next: Patch according to the fixed software table; verify service health post-change.
• Later: Add control checks to build pipeline/CMDB to block drift to vulnerable trains.