CVE-2025-9032

Vulnerability

A heap buffer out-of-bounds read vulnerability exists in the Avira Antivirus engine when scanning a specially crafted Windows Portable Executable (PE) file. This flaw affects engine builds prior to version 8.3.70.98 on Windows, macOS, and Linux. The malformed PE file triggers an incorrect read beyond the allocated heap buffer, exposing the engine to corruption.

Exploitation

An attacker with local access to the system must craft a malformed Windows PE file that, when scanned by the vulnerable Avira engine, triggers the heap buffer out-of-bounds read. No additional authentication or privileges are required beyond the ability to present the file to the scanner (e.g., via download, email attachment, or local file access). The scanning action occurs automatically if real-time protection is enabled, or upon manual or scheduled scan.

Impact

Successful exploitation can lead to local arbitrary code execution within the context of the antivirus engine process, or cause a denial-of-service crash of the engine. This could potentially allow the attacker to bypass antivirus protection or gain elevated privileges depending on the system configuration. The impact is limited to the engine process, not full system compromise, but still poses a significant local security risk.

Mitigation

The vulnerability is fixed in Avira engine version 8.3.70.98, released on or after the advisory date (SYMSA1003, published 2026-06-12). Users should update to the latest engine version immediately. No workaround is available; users on unsupported versions should upgrade to a supported product. The issue is not currently listed on the CISA Known Exploited Vulnerabilities catalog. [1]