CVE-2022-20803 in ClamAV
Summary
by MITRE • 02/17/2023
A vulnerability in the OLE2 file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device.The vulnerability is due to incorrect use of the realloc function that may result in a double-free. An attacker could exploit this vulnerability by submitting a crafted OLE2 file to be scanned by ClamAV on the affected device. An exploit could allow the attacker to cause the ClamAV scanning process to crash, resulting in a denial of service condition.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/23/2026
The vulnerability identified as CVE-2022-20803 resides within the OLE2 file parser component of Clam AntiVirus versions 0.104.0 through 0.104.2, representing a critical security flaw that compromises system availability. This issue manifests through improper memory management practices specifically involving the realloc function, creating conditions that could lead to a double-free error scenario. The vulnerability affects systems where ClamAV operates as a scanning service, particularly impacting network-based security solutions that rely on real-time file analysis capabilities.
The technical root cause of this vulnerability stems from incorrect handling of memory reallocation operations within the OLE2 parsing logic. When processing maliciously crafted OLE2 files, the realloc function is invoked in a manner that creates overlapping memory regions or improper deallocation sequences. This improper usage pattern can result in the same memory block being freed twice, a classic double-free condition that fundamentally undermines memory safety mechanisms. The flaw exists specifically within the parser's memory management routines when encountering malformed OLE2 structures that trigger unexpected control flow paths during file processing. This type of vulnerability falls under CWE-415, which categorizes improper deallocation of memory resources as a fundamental memory safety issue.
The operational impact of this vulnerability extends beyond simple system instability, creating significant risks for organizations relying on ClamAV for network security operations. Remote attackers can exploit this weakness by simply submitting a specially crafted OLE2 file to any ClamAV scanning endpoint, potentially causing the entire scanning process to terminate unexpectedly. This denial of service condition effectively disables the security scanning capability of affected systems, leaving them vulnerable to other threats while the scanning service remains unavailable. The attack surface is particularly broad as OLE2 files are commonly encountered in email attachments, file transfers, and document processing environments where ClamAV is deployed as a security control.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1499.004 which focuses on network denial of service attacks, and represents a critical weakness in the software supply chain security posture. The exploitability of this vulnerability does not require authentication or elevated privileges, making it particularly dangerous as it can be leveraged by any remote actor. Organizations using ClamAV in production environments face immediate risk of service disruption, potentially leading to security gaps during the time when the scanning service is unavailable. The impact is particularly severe in enterprise environments where ClamAV serves as a primary malware detection mechanism for email security, file server scanning, and endpoint protection services.
Mitigation strategies should prioritize immediate patching of affected ClamAV versions to 0.104.3 or later, which contain the necessary memory management fixes for the realloc function usage. Network administrators should also implement additional monitoring for unusual scanning service behavior and consider deploying redundant scanning mechanisms to maintain security coverage during potential service disruptions. The vulnerability demonstrates the importance of thorough memory safety testing in security software, particularly in components that process untrusted input files. Organizations should also review their incident response procedures to ensure rapid recovery from similar denial of service conditions and maintain backup scanning capabilities to prevent complete security service outages during patch deployment cycles.