CVE-2020-37167

high

Description

ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.

References

https://www.vulncheck.com/advisories/clamav-clambc-clambc-executable-regular-expression-error

https://www.exploit-db.com/exploits/47687

https://www.clamav.net/

https://github.com/Cisco-Talos/clamav/commit/cd2f2975b93277de7f74464d48adb378375a305f

Details

Source: Mitre, NVD

Published: 2026-02-12

Updated: 2026-02-27

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 8.6

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00032