ClamAV 1.5.3 Patches Multiple Security Flaws in Open-Source Antivirus Scanner
ClamAV 1.5.3 has been released as a security update for the open-source antivirus engine widely deployed on Linux and Unix systems, particularly for mail gateway scanning and automated malware detection.
Seven CVEs Closed
The update fixes several vulnerabilities in file parsing. CVE-2026-20217 affects the PESpin unpacker cleanup path, where a bug can free pointers into the scanned file buffer and crash the scanner. CVE-2026-20213 is an integer overflow in PE rebuild size calculations, triggered by a malformed Aspack-packed PE file, leading to a heap buffer overflow.
Archive scanning also received critical fixes. CVE-2026-20216 patches an InstallShield extraction limit bypass that could exhaust storage. CVE-2026-20243 addresses ALZ parser size-handling bugs that can panic or abort the scanner. The 7z parser fix for CVE-2026-20215 prevents out-of-bounds writes caused by a substream count overflow in malformed archives.
Additionally, ClamAV 1.5.3 hardens quarantine operations in clamscan, clamdscan, and clamonacc against time-of-check/time-of-use race conditions. Users still on the older 1.4 branch should upgrade to ClamAV 1.4.5, which includes the same security fixes.
How to Update
Package manager users will receive the update through normal distro channels. Manual installations are available from the ClamAV downloads page, GitHub releases, and Docker Hub.
Given the severity of the heap overflows and archive parser vulnerabilities, administrators should deploy this update promptly, especially on systems running ClamAV for email scanning or file server protection.