Login Sign Up

CVE-2024-20380

7.5 HIGH
Denial of Service

📋 TL;DR

A vulnerability in ClamAV's HTML parser allows remote attackers to cause denial of service by submitting crafted HTML files. This affects systems running vulnerable versions of ClamAV that scan untrusted content. The vulnerability stems from an issue in the C to Rust foreign function interface.

💻 Affected Systems

Products:
  • ClamAV
Versions: Versions prior to 1.3.1, 1.2.3, and 1.0.6
Operating Systems: All platforms running ClamAV
Default Config Vulnerable: ⚠️ Yes
Notes: Any ClamAV installation scanning HTML content is vulnerable. This includes email gateways, web application firewalls, and file scanning services.

📦 What is this software?

Clamav by Clamav

View all CVEs affecting Clamav →

Clamav by Clamav

View all CVEs affecting Clamav →

Clamav by Clamav

View all CVEs affecting Clamav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of ClamAV scanning services, potentially affecting dependent security systems like email gateways or file upload scanners.

🟠

Likely Case

Intermittent scanning process crashes requiring service restarts, reducing security coverage during downtime.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring to detect and restart failed processes.

🌐 Internet-Facing: HIGH - ClamAV often processes untrusted content from internet sources like email attachments or web uploads.
🏢 Internal Only: MEDIUM - Lower risk if only scanning internal trusted content, but still vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Only requires submitting a crafted HTML file

The vulnerability is in the parsing logic, making exploitation straightforward once the specific trigger is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1, 1.2.3, or 1.0.6

Vendor Advisory: https://blog.clamav.net/2024/04/clamav-131-123-106-patch-versions.html

Restart Required: Yes

Instructions:

1. Download the patched version from clamav.net. 2. Stop ClamAV services. 3. Install the update. 4. Update virus definitions. 5. Restart ClamAV services.

🔧 Temporary Workarounds

Disable HTML parsing

all

Configure ClamAV to skip HTML file scanning if not required

Add 'ScanHTML no' to clamd.conf

Rate limit scanning

all

Limit the number of concurrent scans to reduce DoS impact

Set 'MaxThreads' and 'MaxConnectionQueueLength' in clamd.conf

🧯 If You Can't Patch

  • Implement strict file type filtering to block HTML files from reaching ClamAV
  • Deploy monitoring to automatically restart ClamAV services when crashes occur

🔍 How to Verify

Check if Vulnerable:

Run 'clamscan --version' and check if version is below 1.3.1, 1.2.3, or 1.0.6

Check Version:

clamscan --version

Verify Fix Applied:

Confirm version is 1.3.1, 1.2.3, or 1.0.6 or higher with 'clamscan --version'

📡 Detection & Monitoring

Log Indicators:

  • ClamAV process crashes
  • Unexpected service termination
  • Scanning failures for HTML files

Network Indicators:

  • Increased HTML file submissions followed by scanning service disruption

SIEM Query:

source="clamav" AND ("crash" OR "terminated" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2024-20380
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-475
Published: April 18, 2024
Last Updated: July 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON