CVE-2025-20260: Remote Code Execution or Denial-of-Service via buffer overflow write in PDF parserΒ #4512
Description
π Preliminary Checks
- I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.
π What Happened?
CVE-2025-20260 is a buffer overflow write vulnerability located in ClamAV's PDF file parser module. It can lead to remote code execution (RCE) or denial-of-service (DoS) on affected systems.
This vulnerability is triggered only if:
max_file_size scan limit is set to β₯ 1024MB
max_scan_size scan limit is set to β₯ 1025MB
These settings might be configured by users handling large attachments or high-volume mail servers.
Please ensure that the ClamAV version used in docker-mailserver is updated to 1.4.3 (or 1.0.9 for LTS users) in the next patch release.
Additionally, a warning in the documentation about the large scan/file size limit thresholds might help reduce exposure.
π Reproduction Steps
No response
π DMS Version
v15.0.2
π» Operating System and Architecture
unrelated
βοΈ Container configuration files
π Relevant log output