ALAS-2025-866

Amazon Linux 2023 Security Advisory: ALAS-2025-866
Advisory Release Date: 2025-02-26 23:14 Pacific
Advisory Updated Date: 2025-03-05 16:33 Pacific
Severity: Medium
Issue Overview:

A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software.
For a description of this vulnerability, see the .
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. (CVE-2025-20128)


Affected Packages:

clamav1.4


Issue Correction:
Run dnf update clamav1.4 --releasever 2023.6.20250303 to update your system.

New Packages:
aarch64:
    clamav1.4-milter-debuginfo-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-1.4.2-1.amzn2023.0.1.aarch64
    clamd1.4-debuginfo-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-freshclam-debuginfo-1.4.2-1.amzn2023.0.1.aarch64
    clamd1.4-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-lib-debuginfo-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-milter-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-debuginfo-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-freshclam-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-devel-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-lib-1.4.2-1.amzn2023.0.1.aarch64
    clamav1.4-debugsource-1.4.2-1.amzn2023.0.1.aarch64

noarch:
    clamav1.4-doc-1.4.2-1.amzn2023.0.1.noarch
    clamav1.4-data-1.4.2-1.amzn2023.0.1.noarch
    clamav1.4-filesystem-1.4.2-1.amzn2023.0.1.noarch

src:
    clamav1.4-1.4.2-1.amzn2023.0.1.src

x86_64:
    clamav1.4-milter-debuginfo-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-freshclam-debuginfo-1.4.2-1.amzn2023.0.1.x86_64
    clamd1.4-1.4.2-1.amzn2023.0.1.x86_64
    clamd1.4-debuginfo-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-freshclam-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-devel-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-lib-debuginfo-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-debuginfo-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-milter-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-lib-1.4.2-1.amzn2023.0.1.x86_64
    clamav1.4-debugsource-1.4.2-1.amzn2023.0.1.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-20128

Mitre: CVE-2025-20128