CVE-2025-7008

Vulnerability

A heap buffer out-of-bounds read vulnerability exists in the scanning engine of Avast Antivirus and related Gen Digital products (Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus) on Windows, macOS, and Linux. The bug is triggered when the engine scans a malformed Windows PE file with specially crafted .NET metadata. Affected virus definition builds are those before VPS 25021310 [1].

Exploitation

An attacker must supply a malformed PE file with malicious .NET metadata to a target system. The file may be introduced via local access, email attachment, web download, or other vectors that trigger the antivirus scanner (automatic or on-demand). No additional authentication is required; the vulnerable scanning code reads beyond the allocated heap buffer when processing the malformed input [1].

Impact

Successful exploitation can lead to local code execution within the context of the antivirus process, potentially enabling privilege escalation or system compromise. Alternatively, the out-of-bounds read may cause a denial-of-service of the antivirus process, leaving the system unprotected [1].

Mitigation

The vulnerability is mitigated by updating virus definitions to VPS 25021310 or later. The fix is delivered through the standard Gen Digital virus definition update stream. Installations at or above this build are not vulnerable. No other workarounds are documented [1].