Skip to main content

Avast Antivirus CVE-2025-7005

| EUVD-2025-210125 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-06-12 GEN GHSA-w5xg-24x3-2465
Microsoft Apple Information Disclosure Avast Antivirus Avg Antivirus Norton Antivirus Avast One Avast Business Antivirus
5.5
CVSS 3.1 · Vendor: GEN
Share

Severity by source

Vendor (GEN) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local delivery of malformed PE required (AV:L); no credentials needed but user must trigger scan (PR:N, UI:R); impact is AV process crash only (A:H, C:N, I:N).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GEN).

CVSS VectorVendor: GEN

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 13, 2026 - 02:00 EUVD
Analysis Generated
Jun 12, 2026 - 22:47 vuln.today
CVE Published
Jun 12, 2026 - 22:07 cve.org
MEDIUM 5.5

DescriptionCVE.org

Uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process.

This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25031700.

The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

AnalysisAI

Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a specially crafted malformed Windows PE file, causing a Denial-of-Service across five Gen Digital products - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus - on Windows, macOS, and Linux. The vulnerability resides in the virus definition update stream rather than the product binary itself, meaning all five products sharing the same Gen Digital VPS stream are simultaneously exposed until updated to definition build VPS 25031700 or later. No public exploit code has been identified at time of analysis, and CVSS scores this at medium severity (5.5) reflecting local access and required user interaction as meaningful limiting factors.

Technical ContextAI

The root cause is CWE-674 (Uncontrolled Recursion): the PE file parser within the shared Gen Digital scanning engine enters recursive processing when it encounters a specially malformed PE structure, lacking a depth limit or recursion guard that would terminate the loop. Because the scanning logic is delivered via a shared virus definition update stream (VPS - Virus Protection Signatures), the flaw is architectural at the signature/engine layer rather than the product layer. This explains why five distinct products across three operating systems are simultaneously affected: cpe:2.3:a:gen_digital:avast_antivirus, cpe:2.3:a:gen_digital:avg_antivirus, cpe:2.3:a:gen_digital:norton_antivirus, cpe:2.3:a:gen_digital:avast_one, and cpe:2.3:a:gen_digital:avast_business_antivirus. The Windows PE (Portable Executable) format allows complex nested structures (e.g., resource directories, import tables) that a recursive parser can descend into indefinitely if the file is maliciously or accidentally malformed, ultimately exhausting the call stack and causing an unhandled exception or crash in the antivirus process.

RemediationAI

The primary fix is a virus definition update to VPS build 25031700 or later, delivered automatically through the standard Gen Digital definition update channel. Administrators should verify that all managed endpoints have received and applied VPS 25031700 or above - this can be confirmed through the AV management console's definition version reporting. For systems with automatic updates enabled and network connectivity, no manual intervention is required. For air-gapped or update-restricted environments, administrators should manually push VPS 25031700 or later from an offline update package obtained from the Gen Digital support portal (see https://www.gendigital.com/us/en/contact-us/security-advisories/). As a compensating control in environments where the definition update cannot be immediately applied, temporarily disabling real-time on-access scanning of PE files or restricting scanning of untrusted PE files from network shares reduces exposure, but note this also reduces malware detection capability during the window. There is no binary patch required - the fix is entirely in the definition build.

More from same product – last 7 days

CVE-2025-7004 HIGH
7.8 Jun 12

Heap out-of-bounds write in Gen Digital's shared antivirus scanning engine allows local code execution or denial of serv
CVE-2025-7008 HIGH
7.8 Jun 12

Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) all
CVE-2025-7009 HIGH
7.8 Jun 12

Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AV
CVE-2025-7011 HIGH
7.8 Jun 12

Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Busine
CVE-2025-7006 MEDIUM
5.5 Jun 12

Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a

Share

CVE-2025-7005 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy