Avast, Norton, Avira: Ten CVEs Disclosed Together by Gen Digital
Key findings • Ten CVEs disclosed together by Gen Digital on June 12, 2026 • Five High-severity heap buffer bugs (CVSS 7.8) can lead to local code execution • Flaws triggered by scanning …
Key findings
- Ten CVEs disclosed together by Gen Digital on June 12, 2026
- Five High-severity heap buffer bugs (CVSS 7.8) can lead to local code execution
- Flaws triggered by scanning malformed PE, PDF, ZIP, OOXML, and MS-DOS files
- Affects Avast, AVG, Norton, Avira, Avast One, and Avast Business Antivirus
- Avira-specific engine bugs fixed in build 8.3.70.56
- No active exploitation reported; automatic definition updates contain fixes
On June 12, 2026, Gen Digital disclosed a batch of ten security vulnerabilities affecting its Avast, AVG, Norton, Avira, and Avast One/Business antivirus products. The flaws span heap buffer overflows, stack overflows, use-after-free, and uncontrolled recursion bugs — all triggered by scanning malformed files. Five of the ten carry a High severity rating (CVSSv3 7.8), meaning an attacker who can deliver a specially crafted file to a target system could achieve local code execution or crash the antivirus engine entirely.
Heap buffer bugs dominate the High-severity group
Five of the High-rated CVEs involve heap buffer out-of-bounds reads or writes. CVE-2025-7004 and CVE-2025-14098 are heap buffer out-of-bounds write vulnerabilities — the former triggered by a malformed Windows PE file, the latter by a malformed MS-DOS executable scanned by the Avira engine. Both can lead to local code execution or denial-of-service. CVE-2025-7009 and CVE-2025-7008 are heap buffer out-of-bounds read flaws in the PE-file parser, with CVE-2025-7008 specifically involving PE files carrying .NET metadata. CVE-2025-7011 is a heap out-of-bounds read triggered by a malformed zip archive containing XML. All five affect Avast, AVG, Norton, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux.
Stack overflows, recursion, and use-after-free
The Medium-severity CVEs (CVSSv3 5.5) are denial-of-service bugs. CVE-2025-7019 is a stack overflow when scanning a malformed Office Open XML file. CVE-2025-7010 is a stack overflow caused by uncontrolled recursion in the PDF parser. CVE-2025-7006 is a use of stack memory after free in the PE-file scanner. CVE-2025-7005 is an uncontrolled recursion bug also in the PE-file scanner. All four affect the same broad product set as the High-severity group.
Avira-specific engine flaws
Two CVEs are confined to the Avira Antivirus engine. CVE-2025-14098 (High, heap buffer OOB write via malformed MS-DOS executable) and CVE-2025-7003 (High, heap buffer OOB read via malformed PDF) affect Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.56.
Patch status and affected versions
Gen Digital has released updated virus-definition builds that address all ten CVEs. The vulnerabilities affect virus definition builds before a certain version across Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus. For Avira-specific flaws, the fix is in engine build 8.3.70.56 and later. Users should ensure their antivirus software is set to receive automatic definition updates; no manual action beyond a standard update is required.
Why this batch matters
Antivirus engines operate at the highest privilege level on a system and parse untrusted file formats constantly. A heap overflow in the PE or PDF parser — especially one that can lead to code execution — turns the security software itself into an attack surface. While no active exploitation has been reported in the disclosure materials, the breadth of affected products (Avast, AVG, Norton, Avira, Avast One, Avast Business) means the patch touches millions of endpoints. Users of any Gen Digital antivirus product should confirm that automatic updates are enabled.