CVE-2020-37167

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-37167

8.4 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

C

lamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.

References
Link Resource
https://github.com/Cisco-Talos/clamav/commit/cd2f2975b93277de7f74464d48adb378375a305f
https://www.clamav.net/
https://www.exploit-db.com/exploits/47687
https://www.vulncheck.com/advisories/clamav-clambc-clambc-executable-regular-expression-error
Configurations

No configuration.

History

27 Feb 2026, 22:16

Type Values Removed Values Added
Summary (en) ClamAV versions prior to 0.102.0, fixed in 0.103.0-rc, ClamBC bytecode interpreter contains a vulnerability in function name processing that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine. (en) ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.

27 Feb 2026, 20:21

Type Values Removed Values Added
Summary (en) ClamAV ClamBC bytecode interpreter contains a vulnerability in function name processing that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine. (en) ClamAV versions prior to 0.102.0, fixed in 0.103.0-rc, ClamBC bytecode interpreter contains a vulnerability in function name processing that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.
References
  • () https://github.com/Cisco-Talos/clamav/commit/cd2f2975b93277de7f74464d48adb378375a305f -
CWE CWE-94
CVSS v2 : unknown
v3 : 9.8 		v2 : unknown
v3 : 8.4

27 Feb 2026, 17:16

Type Values Removed Values Added
Summary
  • (es) El intérprete de bytecode ClamAV ClamBC contiene una vulnerabilidad en el procesamiento de nombres de funciones que permite a los atacantes manipular los nombres de las funciones de bytecode. Los atacantes pueden explotar la débil validación de entrada en la codificación de nombres de funciones para ejecutar potencialmente bytecode malicioso o causar un comportamiento inesperado en el motor de ClamAV.
References
  • {'url': 'https://www.vulncheck.com/advisories/clamav-clambc-clambc-executable-regular-expression', 'source': '[email protected]'}
  • () https://www.vulncheck.com/advisories/clamav-clambc-clambc-executable-regular-expression-error -

13 Feb 2026, 14:23

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-12 23:16

Updated : 2026-02-27 22:16

NVD link : CVE-2020-37167

Mitre link : CVE-2020-37167

CVE.ORG link : CVE-2020-37167

JSON object : View

Products Affected

No product.

CWE

No CWE.