Cisco wis nerbitake rilis anyar saka paket antivirus gratis ClamAV 1.4.2 lan 1.0.8, sing ndandani kerentanan kasebut (CVE-2025-20128). Kerentanan kasebut amarga kebanjiran buffer ing kode parsing kanggo file OLE2 (Object Linking and Embedding 2), sing bisa digunakake dening panyerang sing ora diakoni kanthi remot kanggo nyebabake penolakan layanan. Masalah wis katon wiwit release saka ClamAV 1.0.0 lan dikenali sak testing fuzzing dening project OSS-Fuzz.
Kerentanan iki disebabake dening limpahan integer sajrone pamriksan wates, sing nyebabake maca metu saka wates. Masalah iki muncul nalika ngolah file sing ngemot konten OLE2 sing digawe khusus lan nyebabake proses pemindaian macet. Eksploitasi prototipe wis dilaporake online sing bisa digunakake kanggo nyerang klien email. server utawa sistem enggo bareng file nggunakake ClamAV.
Source: opennet.ru
