EUVD-2025-210123
GHSA-98r3-fv2h-4h72
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local file scan trigger (AV:L), no auth (PR:N), user/auto-scan delivers file (UI:R); AC:H because turning an OOB read into code execution is non-trivial; full CIA impact via privileged AV process.
Primary rating from Vendor (GEN).
CVSS VectorVendor: GEN
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Heap buffer out-of-bounds read vulnerability in Avira Antivirus engine when scanning a malformed PDF file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process.
This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.56.
AnalysisAI
Out-of-bounds heap read in the Avira Antivirus scanning engine triggers when the engine parses a malformed PDF, allowing local code execution or denial-of-service of the antivirus process on Windows, macOS, and Linux engine builds prior to 8.3.70.56. The CVSS 7.8 (High) rating reflects local attack vector with required user interaction (the engine must scan the attacker-supplied file), and no public exploit identified at time of analysis. Because the AV engine typically runs with elevated privileges, successful code execution would inherit those privileges.
Technical ContextAI
The flaw is in Gen Digital's Avira Antivirus scanning engine, identified by CPE cpe:2.3:a:gen_digital:avira_antivirus and classified as CWE-125 (Out-of-bounds Read). The vulnerable code path is the engine's PDF parser, which during inspection of a crafted PDF reads heap memory past the bounds of an allocated buffer. Out-of-bounds reads in parsers can leak adjacent heap data, corrupt control-flow state used by subsequent operations, or - when combined with predictable allocator behavior - be chained into memory-corruption primitives that yield code execution in the scanner process. Antivirus engines are particularly attractive targets because they auto-scan untrusted content (downloads, email attachments, files written to disk) and generally execute as a privileged service such as SYSTEM on Windows or root on Linux/macOS.
RemediationAI
Upgrade the Avira Antivirus scanning engine to build 8.3.70.56 or later - this is the vendor-released patch per the CVE record; engine updates are typically delivered automatically through Avira's signature/engine update channel, so administrators should verify that engine auto-update is enabled and that endpoints have successfully pulled the new build by checking the engine version in the Avira console. Consult the Gen Digital security advisories page (https://www.gendigital.com/us/en/contact-us/security-advisories/) for the canonical advisory. If patching is delayed, compensating controls include disabling on-access scanning of PDF files at the perimeter (trade-off: removes a key detection layer for PDF-borne malware) or routing inbound PDFs through a sandboxed pre-filter so the Avira engine never parses untrusted PDFs directly (trade-off: added latency and infrastructure cost); blocking inbound PDFs at the email gateway is a heavier-handed option that breaks normal business workflows.
More from same product – last 7 days
Local code execution and denial-of-service in Avira Antivirus engine builds before 8.3.70.68 allow an attacker to compro
Local code execution or denial-of-service in Avira Antivirus engine builds prior to 8.3.70.56 occurs when the scanner pa
Local code execution in Avira Antivirus engine builds before 8.3.70.104 on Windows, macOS, and Linux allows attackers to
Heap out-of-bounds read in the Avira Antivirus scanning engine on Windows, macOS, and Linux (engine builds before 8.3.70
Local code execution in Avira Antivirus engine builds before 8.3.70.76 on Windows, macOS, and Linux is triggered when th
Share
External POC / Exploit Code
Leaving vuln.today