you know the ecosystem is FUBAR when this is your (and my) very first thought when a vuln pops up.
qprimed
a security site that (kinda) demands JS shields down? sigh... anyway here is the article for those that prefer to not do silly things...
cw: OOB writes and race conditions.
Open source antivirus scanning sits inside mail gateways, file upload checks, and endpoint tooling at organizations of every size. Much of that work runs through ClamAV, the scanning engine maintained by Cisco’s Talos group. The project released two patch versions, 1.5.3 and 1.4.5, carrying fixes for seven security flaws along with smaller hardening changes.
Most of the patched bugs sit in the code that unpacks and parses executable formats, the part of a scanner built to handle hostile input. CVE-2026-20213 is an integer overflow in the PE rebuild size calculation that a malformed Aspack-packed file can trigger, leading to a heap buffer overflow write. The related CVE-2026-20214 covers an FSG unpacker loop underflow that can write past the section array during a scan of a crafted PE file. Both reach far back through the codebase, with the FSG issue present in builds dating to 2004.
CVE-2026-20217 rounds out the PE group. A bug in the PESpin unpacker cleanup path could free pointers into the scanned file buffer and crash the scanner. That flaw has lived in the code since 2005. Archive and image format bugs
Three more fixes address archive and disk-image handling. CVE-2026-20215 is a 7z parser substream count overflow that can under-allocate parser metadata arrays and then write past them when reading a crafted archive. CVE-2026-20243 covers ALZ parser size handling errors that can make malformed ALZ archives panic, abort the scanner, or skip expected scan-limit handling. CVE-2026-20216 is an InstallShield archive extraction limit bypass that can write far more temporary data than intended and drain temporary storage.
The last parsing flaw, CVE-2026-20244, sits in the 32-bit DMG parser. A short mish stripe table could pass validation and crash the scanner. This one affects only 32-bit builds, going back to version 0.98.1, and leaves 64-bit builds untouched. Quarantine race condition
The releases also harden the quarantine actions in clamscan, clamdscan, and clamonacc against time-of-check/time-of-use races. Under unsafe quarantine directory settings, those races could redirect files as the scanner copied, moved, or removed them. Hiroki Imai of Ricerca Security, Inc. reported the issue.
Version 1.5.3 adds a few items beyond 1.4.5. It upgrades the Rust tar dependency to resolve two RUSTSEC advisories and moves the Rust openssl dependency past CVE-2026-41676. Metadata preclass scans now run before the final scan verdict. A ClamOnAcc fix addresses hash bucket list corruption when two watched paths land in the same bucket. Both releases raise the minimum CMake version to 3.17 to repair Linux builds that link static dependencies against libcurl v8.21.0.
The release files are available on the GitHub release page, and through Docker Hub in Alpine and Debian containers.
an absolutely amazing interview. I spent years of my childhood reading technical documents from this man. he and jay miner were heros of mine and the amiga completely changed my relationship with technology.
the words. they have committed a murder.
turns it into homemade napalm - sticky.
knives (three different ones)
loved your write up. thank you.
dont discount the utility of running containers in an abstracted Hardware Virtual Machine (HVM) away from your physical hardware. it expands your testing surfaces and sandboxes immeasurably.
also...
That means the US only has 197.25 million barrels left before the caverns could face irreparable damage. If the US consumers, who use 20 million barrels a day, had to rely exclusively on the SPR, the US only has less than a 9-day supply of reserves.
insane. just fucking insane.
finally! after 11 wretched years... real inspiration to correctly use the phrase "i'm with her".
“It has seen its job as explaining why we cannot instead of showing how we can, and that old way of thinking will lose on Tuesday. And frankly, it will lose in South Carolina and New Hampshire. It will fall short of 270 electoral votes, because the party of the past will not be what leads us into the future.”
the man is legitimately on fire.
just installed forgejo on a locally hosted lxc instance on a spare qemu VM. will use primarily for my own projects and external devs who collaborate on client projects.
doing my part to give an nvidia sized/shaped "torvalds" to ms.
edit: love it. glad I finally pulled the trigger on this.

drones are cheap.