Login Sign Up

CVE-2020-37167

8.4 HIGH
Remote Code Execution

📋 TL;DR

CVE-2020-37167 is a critical vulnerability in ClamAV's bytecode interpreter that allows attackers to manipulate function names through weak input validation. This could enable execution of malicious bytecode or cause unexpected behavior in the ClamAV antivirus engine. All systems running vulnerable versions of ClamAV are affected.

💻 Affected Systems

Products:
  • ClamAV
Versions: Versions prior to 0.102.3
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments where ClamBC bytecode interpreter is enabled (enabled by default).

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges, allowing complete compromise of the affected system and potential lateral movement within the network.

🟠

Likely Case

Denial of service through antivirus engine crashes, potentially disrupting malware scanning and email filtering services.

🟢

If Mitigated

Limited impact with proper network segmentation and restricted access to ClamAV services, though antivirus functionality may still be disrupted.

🌐 Internet-Facing: HIGH - ClamAV is often deployed in internet-facing email gateways and web servers where it processes untrusted files from external sources.
🏢 Internal Only: MEDIUM - Internal systems running ClamAV could be exploited through malicious files introduced via email, downloads, or removable media.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and the vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.102.3 and later

Vendor Advisory: https://blog.clamav.net/2020/02/clamav-01023-security-patch-released.html

Restart Required: Yes

Instructions:

1. Download ClamAV 0.102.3 or later from clamav.net. 2. Stop ClamAV services. 3. Install the updated version. 4. Update virus definitions. 5. Restart ClamAV services.

🔧 Temporary Workarounds

Disable bytecode interpreter

all

Temporarily disable the ClamBC bytecode interpreter to prevent exploitation

clamconf --get Bytecode
clamconf --set Bytecode no

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate ClamAV servers from critical systems
  • Deploy additional security controls like file integrity monitoring and intrusion detection systems

🔍 How to Verify

Check if Vulnerable:

Run 'clamscan --version' and check if version is below 0.102.3

Check Version:

clamscan --version | head -1

Verify Fix Applied:

Run 'clamscan --version' and confirm version is 0.102.3 or higher

📡 Detection & Monitoring

Log Indicators:

  • ClamAV service crashes
  • Unexpected bytecode execution errors
  • High CPU/memory usage by clamd

Network Indicators:

  • Unusual outbound connections from ClamAV servers
  • Suspicious file uploads to systems running ClamAV

SIEM Query:

source="clamav" AND (event="crash" OR event="error" OR event="bytecode")

📊 Metadata

CVE ID: CVE-2020-37167
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 0.03% exploit probability (8.7th percentile)
Published: February 12, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON