Security update for clamav SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0906-1 Final 1 1 2026-03-17T16:32:20Z current 2026-03-17T16:32:20Z 2026-03-17T16:32:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for clamav This update for clamav fixes the following issues: Update to clamav 1.5.2: Security issue: - CVE-2026-20031: improper error handling in the HTML CSS module when splitting UTF-8 strings can lead to denial of service conditions via a crafted HTML file (bsc#1259207). Non security issue: - Support transactional updates (jsc#PED-14819). Changelog: * Fixed a possible infinite loop when scanning some JPEG files by upgrading affected ClamAV dependency, a Rust image library. * The CVD verification process will now ignore certificate files in the CVD certs directory when the user lacks read permissions. * Freshclam: Fix CLD verification bug with PrivateMirror option. * Upgraded the Rust bytes dependency to a newer version to resolve RUSTSEC-2026-0007 advisory. * Fixed a possible crash caused by invalid pointer alignment on some platforms. * Minimal required Rust version is now 1.87. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-906 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260906-1/ Link for SUSE-SU-2026:0906-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024701.html E-Mail link for SUSE-SU-2026:0906-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1221954 SUSE Bug 1221954 https://bugzilla.suse.com/1258072 SUSE Bug 1258072 https://bugzilla.suse.com/1259207 SUSE Bug 1259207 https://www.suse.com/security/cve/CVE-2026-20031/ SUSE CVE CVE-2026-20031 page clamav-1.5.2-150400.13.5.1 clamav-devel-1.5.2-150400.13.5.1 clamav-docs-html-1.5.2-150400.13.5.1 clamav-milter-1.5.2-150400.13.5.1 libclamav12-1.5.2-150400.13.5.1 libclammspack0-1.5.2-150400.13.5.1 libfreshclam4-1.5.2-150400.13.5.1 A vulnerability in the HTML Cascading Style Sheets (CSS) module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when splitting UTF-8 strings. An attacker could exploit this vulnerability by submitting a crafted HTML file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the scanning process. CVE-2026-20031 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260906-1/ https://www.suse.com/security/cve/CVE-2026-20031.html CVE-2026-20031 https://bugzilla.suse.com/1259207 SUSE Bug 1259207