CBL Mariner 2.0 Security Update: clamav (CVE-2025-20260)

🗓️ 11 Jul 2025 00:00:00Reported by TenableType

ClamAV on CBL Mariner 2.0 is vulnerable (CVE-2025-20260) to buffer overflow and DoS attacks.

Reporter	Title	Published	Views	Family All 78
IBM Security Bulletins	Security Bulletin: IBM Storage Defender: Data Protect critical vulnerabilities resolved in release Defender 2.1.0/Data Protect 7.3	10 Dec 202515:04	–	ibm
FreeBSD	clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability	18 Jun 202500:00	–	freebsd
Tenable Nessus	Amazon Linux 2023 : clamav1.4, clamav1.4-data, clamav1.4-devel (ALAS2023-2025-1081)	10 Jul 202500:00	–	nessus
Tenable Nessus	Azure Linux 3.0 Security Update: clamav (CVE-2025-20260)	11 Jul 202500:00	–	nessus
Tenable Nessus	ClamAV 0.99.4 < 1.0.9, 1.2.0 < 1.4.3 Multiple Vulnerabilities	8 Jul 202500:00	–	nessus
Tenable Nessus	Debian dla-4292 : clamav - security update	4 Sep 202500:00	–	nessus
Tenable Nessus	Fedora 42 : clamav (2025-2ac841fe82)	21 Jun 202500:00	–	nessus
Tenable Nessus	Fedora 41 : clamav (2025-88b0ad0c1f)	27 Jun 202500:00	–	nessus
Tenable Nessus	FreeBSD : clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability (3dcc0812-4da5-11f0-afcc-f02f7432cf97)	21 Jun 202500:00	–	nessus
Tenable Nessus	SUSE SLES15 Security Update : clamav (SUSE-SU-2025:02119-1)	27 Jun 202500:00	–	nessus

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-20260
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(241942);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/07/11");

  script_cve_id("CVE-2025-20260");
  script_xref(name:"IAVB", value:"2025-B-0098");

  script_name(english:"CBL Mariner 2.0 Security Update: clamav (CVE-2025-20260)");

  script_set_attribute(attribute:"synopsis", value:
"The remote CBL Mariner host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of clamav installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore,
affected by a vulnerability as referenced in the CVE-2025-20260 advisory.

  - A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to
    cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on
    an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF
    files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be
    scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer
    overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the
    affected software. Although unproven, there is also a possibility that an attacker could leverage the
    buffer overflow to execute arbitrary code with the privileges of the ClamAV process. (CVE-2025-20260)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-20260");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-20260");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/07/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:clamav");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:clamav-debuginfo");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:cbl-mariner");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MarinerOS Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CBLMariner/release", "Host/CBLMariner/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/CBLMariner/release');
if (isnull(release) || 'CBL-Mariner' >!< release) audit(AUDIT_OS_NOT, 'CBL-Mariner');
var os_ver = pregmatch(pattern: "CBL-Mariner ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CBL-Mariner');
os_ver = os_ver[1];
if (! preg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'CBL-Mariner 2.0', 'CBL-Mariner ' + os_ver);

if (!get_kb_item('Host/CBLMariner/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
  audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CBL-Mariner', cpu);

var pkgs = [
    {'reference':'clamav-1.0.9-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'clamav-1.0.9-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'CBLMariner-' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'clamav / clamav-debuginfo');
}

11 Jul 2025 00:00Current

9.2High risk

Vulners AI Score9.2

CVSS 3.19.8

EPSS0.01231

SSVC