Skip to main content

Avast Antivirus CVE-2025-7006

| EUVD-2025-210126 MEDIUM
Free of Memory not on the Heap (CWE-590)
2026-06-12 GEN GHSA-w68x-xgg3-m822
Microsoft Apple Information Disclosure Avast Antivirus Avg Antivirus Norton Antivirus Avast One Avast Business Antivirus
5.5
CVSS 3.1 · Vendor: GEN
Share

Severity by source

Vendor (GEN) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector because exploitation requires a file to be scanned on the local system; PR:N since any user can introduce a file; UI:R because user file interaction triggers scanning; A:H for antivirus process crash; no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GEN).

CVSS VectorVendor: GEN

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 13, 2026 - 02:00 EUVD
Analysis Generated
Jun 12, 2026 - 22:48 vuln.today
CVE Published
Jun 12, 2026 - 22:08 cve.org
MEDIUM 5.5

DescriptionCVE.org

Use of stack memory after free vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process.

This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25022500.

The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

AnalysisAI

Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a malformed Windows PE file. Five Gen Digital products share a common virus definition update stream - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - making all simultaneously vulnerable until the shared definition stream reaches build VPS 25022500. No public exploit has been identified at time of analysis; the impact is limited to a Denial-of-Service of the antivirus process with no confidentiality or integrity loss, and the CVSS score of 5.5 reflects the local, user-interaction-dependent nature of the attack.

Technical ContextAI

The root cause is CWE-590 (Free of Memory Not on the Heap), meaning the scanning engine attempts to release memory that was allocated on the stack rather than the heap - a class of memory-safety error distinct from heap use-after-free but equally capable of corrupting program state or triggering a crash. The affected code path resides in the PE (Portable Executable) file parser within the shared Gen Digital scan engine. Windows PE is a complex binary format with numerous optional headers and section structures; crafted malformed PE files can drive parsers into atypical code paths that mismanage stack-allocated buffers. CPE data confirms five discrete products under the gen_digital vendor namespace (cpe:2.3:a:gen_digital:avast_antivirus, avg_antivirus, norton_antivirus, avast_one, avast_business_antivirus) all consuming the same engine through a shared virus definition update stream, meaning a single upstream fix remediates all affected surfaces simultaneously.

RemediationAI

The primary fix is updating the virus definition stream to VPS 25022500 or any subsequent build; installations at or above this build are not vulnerable regardless of the underlying product or platform. Because Gen Digital delivers the fix through the standard automatic virus definition update channel, most installations with automatic updates enabled will have received the remediation without manual intervention. Administrators managing enterprise deployments of Avast Business Antivirus should verify that definition update policies are not delayed or proxied in a way that holds clients below VPS 25022500. If a temporary workaround is required before the update can be applied - for example in an air-gapped environment - disabling on-access scanning of executable files (PE format) would eliminate the attack surface at the cost of reduced real-time malware detection. No additional vendor patch beyond the definition update is indicated. See https://www.gendigital.com/us/en/contact-us/security-advisories/ for the authoritative advisory.

More from same product – last 7 days

CVE-2025-7004 HIGH
7.8 Jun 12

Heap out-of-bounds write in Gen Digital's shared antivirus scanning engine allows local code execution or denial of serv
CVE-2025-7008 HIGH
7.8 Jun 12

Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) all
CVE-2025-7009 HIGH
7.8 Jun 12

Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AV
CVE-2025-7011 HIGH
7.8 Jun 12

Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Busine
CVE-2025-7005 MEDIUM
5.5 Jun 12

Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a spec

Share

CVE-2025-7006 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy