CVE-2025-7009

Vulnerability

A heap buffer out-of-bounds read vulnerability exists in the scanning logic of Avast Antivirus and other Gen Digital products (Avast, AVG, Norton, Avast One, Avast Business) when processing a malformed Windows PE file. The flaw resides in the virus definition update stream shared across these products. Affected versions are those with virus definition builds before VPS 25021310 on Windows, macOS, and Linux.

Exploitation

An attacker with local access can craft a malformed PE file that triggers the out-of-bounds read during scanning. No special privileges are required beyond the ability to present the file to the antivirus scanner (e.g., via download, email, or local execution). The scanning process reads beyond the allocated heap buffer, potentially leading to code execution or a crash of the antivirus process.

Impact

Successful exploitation may allow local execution of arbitrary code or cause a denial-of-service condition by crashing the antivirus process. The attacker gains the ability to execute code in the context of the antivirus service, which typically runs with elevated privileges, potentially leading to full system compromise.

Mitigation

The vulnerability is mitigated by updating virus definitions to build VPS 25021310 or later, which is delivered through the Gen Digital update channel. No workarounds are available; users should ensure their antivirus software is configured to receive automatic updates. The advisory is tracked under SYMSA1003 on the Gen Digital security advisories page [1].