CVE-2026-6676

Vulnerability

A heap buffer out-of-bounds write vulnerability exists in the Avira Antivirus engine when scanning a specially crafted malformed POSIX tar archive. This flaw affects engine builds prior to version 8.3.27.12 on Windows, macOS, and Linux platforms [1]. The vulnerable code path is triggered during archive parsing within the scanner component, requiring no special configuration beyond standard antivirus scanning operations.

Exploitation

An attacker with local access to the system can craft a malformed POSIX tar archive that, when scanned by the Avira Antivirus engine, causes a heap buffer overflow. No authentication or elevated privileges are needed to deliver the file; the archive must either be placed on disk or presented to the engine via a local interface that triggers scanning (e.g., on-access or on-demand scan). The exploitation sequence involves writing data beyond the allocated heap buffer, potentially overwriting adjacent memory structures.

Impact

Successful exploitation can lead to arbitrary code execution within the context of the antivirus engine process or a denial-of-service condition affecting the engine. An attacker achieving code execution may gain the same privileges as the engine process, which typically operates with system-level or high-integrity access, thereby potentially compromising the entire system [1].

Mitigation

Gen Digital released engine version 8.3.27.12 to address this vulnerability. Users should update their Avira Antivirus software to the latest version. No workarounds are documented in the available reference [1]. The vulnerability is not listed on the CISA KEV as of the publication date.