Skip to main content

Avast Antivirus CVE-2025-7009

| EUVD-2025-210128 HIGH
Out-of-bounds Read (CWE-125)
2026-06-12 GEN GHSA-m2vq-32p9-45ph
Microsoft Apple Information Disclosure Buffer Overflow Avast Antivirus Avg Antivirus Norton Antivirus Avast One Avast Business Antivirus
7.8
CVSS 3.1 · Vendor: GEN
Share

Severity by source

Vendor (GEN) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local file-parsing bug triggered when a user-introduced malformed PE is scanned (AV:L, UI:R, PR:N); code execution in the AV process yields full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GEN).

CVSS VectorVendor: GEN

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 13, 2026 - 02:00 EUVD
Analysis Generated
Jun 12, 2026 - 22:40 vuln.today
CVE Published
Jun 12, 2026 - 22:10 cve.org
HIGH 7.8

DescriptionCVE.org

Heap buffer out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Local Execution of Code or Denial-of-Service of the antivirus process.

This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021310.

The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

AnalysisAI

Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux) is triggered when the engine parses a malformed Windows PE file and performs a heap out-of-bounds read. Mitigation ships via the VPS 25021310 virus definition update rather than a product installer, so any consumer of the Gen Digital definition stream at or above that build is no longer exposed. No public exploit identified at time of analysis, but the bug sits inside a high-privilege scanner that auto-processes attacker-controlled files.

Technical ContextAI

The flaw is a CWE-125 out-of-bounds read in the PE (Portable Executable) parser used by the shared Gen Digital antivirus engine, which is embedded across all listed Avast, AVG, and Norton products and reused on non-Windows hosts to scan Windows binaries. Antivirus PE parsers operate as privileged services that automatically inspect any file written to disk, so a parser memory-safety bug yields a direct code-path from file delivery to engine memory corruption. Because the bug is in the engine's interpretation of malformed PE header/section fields, the same vulnerable code runs identically on Windows, macOS, and Linux installations of the listed CPEs (gen_digital:avast_antivirus, avg_antivirus, norton_antivirus, avast_one, avast_business_antivirus).

RemediationAI

Primary remediation is to ensure each affected installation has received virus definition build VPS 25021310 or later via the Gen Digital update channel; because the fix ships through the definitions stream rather than an installer, no product binary upgrade is required and any engine consuming the stream above that build is patched. Verify the live VPS build in each product's UI (or via management console for Avast/AVG/Norton Business) and confirm definition updates are not blocked by proxy, allowlist, or air-gap policies. If you cannot rapidly confirm definition coverage, compensating controls are limited because disabling real-time scanning removes the protection you bought AV for, but you can constrain exposure by quarantining inbound PE files at the email gateway and web proxy, restricting executable downloads to managed software-distribution paths, and avoiding manual on-demand scans of untrusted directories (e.g., recently downloaded files, USB media) until definitions are confirmed updated. Consult https://www.gendigital.com/us/en/contact-us/security-advisories/ for the per-product advisory and any additional product-specific guidance.

More from same product – last 7 days

CVE-2025-7004 HIGH
7.8 Jun 12

Heap out-of-bounds write in Gen Digital's shared antivirus scanning engine allows local code execution or denial of serv
CVE-2025-7008 HIGH
7.8 Jun 12

Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) all
CVE-2025-7011 HIGH
7.8 Jun 12

Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Busine
CVE-2025-7005 MEDIUM
5.5 Jun 12

Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a spec
CVE-2025-7006 MEDIUM
5.5 Jun 12

Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a

Share

CVE-2025-7009 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy