CVE-2020-37167 HIGH

CVE-2020-37167: ClamAV ClamBC < 0.103.0-rc - 'ClamBC' Executable Regular Expression Error

Published February 12, 2026
Last update April 7, 2026

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
April 7, 2026 Record updated