CVE-2022-26522 Overview
CVE-2022-26522 is a double fetch vulnerability in the aswArPot.sys kernel driver shipped with Avast and AVG Windows Anti Rootkit products. The flaw resides in the socket connection handler at offset aswArPot+0xc4a3. A local attacker with low privileges can exploit this race condition to execute arbitrary code in kernel mode or trigger memory corruption that crashes the operating system. The vulnerability affects versions of the driver before 22.1. SentinelLabs researchers identified the issue and disclosed it to Avast through coordinated disclosure. Because the vulnerable driver runs with kernel privileges, successful exploitation grants full SYSTEM-level control over the affected host.
Critical Impact
Local attackers can execute arbitrary code in kernel mode, achieving full privilege escalation on Windows systems running affected Avast or AVG anti-rootkit drivers.
Affected Products
- Avast Anti Rootkit driver (aswArPot.sys) before version 22.1
- AVG Anti Rootkit driver (aswArPot.sys) before version 22.1
- Windows endpoints with Avast or AVG security products installed
Discovery Timeline
- 2026-05-08 - CVE-2022-26522 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2022-26522
Vulnerability Analysis
The vulnerability is a double fetch race condition [CWE-367] in the socket connection handler implemented inside aswArPot.sys. A double fetch occurs when kernel code reads the same user-mode memory location twice during a single operation without locking the value. An attacker who modifies that memory between the two reads can desynchronize the driver's validation logic from the value it actually uses.
In this case, the driver fetches a value from user-space memory at offset aswArPot+0xc4a3, validates it, then re-fetches the value for use without re-validation. By winning the race, an attacker substitutes a malicious value after validation completes. The result is kernel-mode memory corruption or arbitrary kernel code execution.
Exploitation requires local code execution as a low-privileged user. No user interaction is needed. Successful exploitation elevates privileges from a standard user account to the kernel, defeating Windows security boundaries including Protected Process Light (PPL) and standard user-mode isolation.
Root Cause
The driver reads attacker-controlled data from user space twice rather than copying it into a kernel buffer once and operating on the trusted copy. This Time-of-Check to Time-of-Use (TOCTOU) pattern is a well-known anti-pattern in Windows kernel driver development. The shared user-mode buffer remains writable between fetches, allowing concurrent threads to alter the value after the kernel's validation step.
Attack Vector
An attacker first executes code locally as any authenticated user. The attacker then opens a handle to the vulnerable driver and issues IOCTL requests targeting the socket connection handler. A second thread concurrently rewrites the shared user-mode buffer between the driver's two fetches. Winning this race causes the driver to operate on attacker-controlled data, producing memory corruption inside kernel address space. The vulnerability mechanism is described in detail in the SentinelOne Vulnerability Report.
Detection Methods for CVE-2022-26522
Indicators of Compromise
- Unexpected kernel crashes (BSOD) referencing aswArPot.sys in the bugcheck stack trace
- Processes opening handles to the Avast/AVG anti-rootkit driver from non-standard binaries
- Anomalous IOCTL traffic to \\.\aswArPot device objects from unsigned or non-Avast processes
Detection Strategies
- Monitor driver file versions on endpoints and flag aswArPot.sys builds earlier than 22.1
- Inspect Windows Error Reporting and minidump files for crashes pointing to aswArPot+0xc4a3
- Correlate local privilege escalation alerts with recent IOCTL activity against Avast/AVG drivers
Monitoring Recommendations
- Enable kernel-mode crash dump collection and centralize dump analysis
- Track loaded driver inventory across the fleet to identify outdated aswArPot.sys versions
- Audit which user-mode processes interact with security product device objects and alert on unexpected callers
How to Mitigate CVE-2022-26522
Immediate Actions Required
- Update Avast and AVG products to versions containing aswArPot.sys 22.1 or later
- Inventory all endpoints to confirm the patched driver version is loaded after restart
- Restrict local logon rights to reduce the pool of users who can attempt local exploitation
Patch Information
Avast addressed the double fetch in aswArPot.sys version 22.1 by serializing the user-mode read into a single kernel-side copy before validation. Customers running affected Avast or AVG Windows products must upgrade to the fixed release. Details on responsible disclosure and reporting are available through the Avast Bug Bounty Program.
Workarounds
- If immediate patching is not possible, remove or disable the Avast/AVG anti-rootkit component until the update is applied
- Apply application allowlisting to block untrusted binaries from issuing IOCTLs to the vulnerable driver
- Enforce least privilege so that standard users cannot run arbitrary executables on production hosts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
