7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.875 High
EPSS
Percentile
98.7%
Clamav team reports:
A heap overflow vulnerability was discovered in libclamav
which could cause a denial of service or allow the
execution of arbitrary code.
The problem is specifically located in the PE file rebuild
function used by the UPX unpacker.
Relevant code from libclamav/upx.c:
memcpy(dst, newbuf, foffset);
*dsize = foffset;
free(newbuf);
cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n");
return 1;
Due to improper validation it is possible to overflow the above
memcpy() beyond the allocated memory block.