Zimbra Collaboration: CVE-2025-20128: The ClamAV package has been upgraded to version 1.0.8 to fix multiple vulnerabilities.

A vulnerability in the object linking and embedding 2 (ole2) decryption routine of clamav could allow an unauthenticated, remote attacker to cause a denial of service (dos) condition on an affected device. this vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read. an attacker could exploit this vulnerability by submitting a crafted file containing ole2 content to be scanned by clamav on an affected device. a successful exploit could allow the attacker to terminate the clamav scanning process, resulting in a dos condition on the affected software. for a description of this vulnerability, see the . cisco has released software updates that address this vulnerability. there are no workarounds that address this vulnerability.