CVE-2022-26523 Overview
CVE-2022-26523 is a double fetch vulnerability in aswArPot.sys, the Windows Anti Rootkit driver shipped with Avast and AVG security products. The flaw resides in the socket connection handler at offset aswArPot+0xbb94. Local attackers can exploit the race condition to execute arbitrary code in kernel mode or trigger memory corruption that crashes the operating system. The issue affects driver versions prior to 22.1. SentinelLabs researchers analyzed and disclosed this vulnerability as part of their investigation into kernel-level flaws in widely deployed endpoint security products.
Critical Impact
Successful exploitation grants kernel-mode code execution, allowing attackers to disable security controls, install rootkits, or destabilize the host.
Affected Products
- Avast Antivirus for Windows (driver aswArPot.sys before version 22.1)
- AVG Antivirus for Windows (driver aswArPot.sys before version 22.1)
- Any product bundling the Avast Anti Rootkit driver prior to 22.1
Discovery Timeline
- 2026-05-08 - CVE-2022-26523 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2022-26523
Vulnerability Analysis
The vulnerability is a double fetch race condition [CWE-400] inside the socket connection handler of aswArPot.sys. A double fetch occurs when kernel code reads the same user-mode value twice without locking, allowing an attacker to swap the value between reads. The first read passes validation, while the second read consumes attacker-controlled data on a privileged code path.
Because aswArPot.sys runs in ring 0, any memory corruption inside its handler executes with kernel privileges. An attacker with local code execution can issue crafted IOCTL requests to the driver and race a second thread that mutates the shared buffer. The result is either arbitrary write primitives that lead to kernel code execution or memory corruption that triggers a bug check.
Root Cause
The handler at aswArPot+0xbb94 reads a user-supplied pointer or length value from a shared input buffer, validates it, and then re-reads the same field when performing the privileged operation. No ProbeForRead snapshot or local copy protects the value between the check and the use, creating a time-of-check to time-of-use window [CWE-367 class behavior].
Attack Vector
Exploitation requires local access and the ability to open a handle to the driver device object. The attacker submits IOCTLs targeting the socket connection handler while a second thread continuously flips the shared field. Winning the race produces memory corruption that the attacker shapes into kernel-mode code execution. Remote exploitation is not possible without a separate primitive that delivers local code execution first.
No public proof-of-concept is listed in the enriched data. Technical context is documented in the SentinelOne Vulnerability Analysis.
Detection Methods for CVE-2022-26523
Indicators of Compromise
- Loaded aswArPot.sys with a file version earlier than 22.1 on production endpoints.
- Unexpected CreateFile opens against the Avast or AVG anti-rootkit device object from non-Avast processes.
- Windows bug checks referencing aswArPot.sys in the faulting module field of MEMORY.DMP.
Detection Strategies
- Inventory installed driver versions and flag any host running aswArPot.sys below 22.1.
- Hunt for processes issuing DeviceIoControl calls to the Avast Anti Rootkit driver outside of legitimate Avast or AVG service binaries.
- Correlate kernel crashes with driver version data to surface exploitation attempts that fail the race.
Monitoring Recommendations
- Forward Windows kernel crash telemetry and driver load events to a centralized analytics tier.
- Track handle opens to \\.\aswArPot style device names and alert on non-vendor callers.
- Baseline normal IOCTL frequency for the driver and alert on bursts consistent with race-condition exploitation.
How to Mitigate CVE-2022-26523
Immediate Actions Required
- Upgrade Avast and AVG Windows products to a build that ships aswArPot.sys version 22.1 or later.
- Verify the on-disk driver version after the upgrade reboot, since stale drivers can persist until the system restarts.
- Restrict local interactive logon and standard-user code execution on servers that host the affected driver.
Patch Information
Avast addressed the issue by hardening the socket connection handler in aswArPot.sys 22.1. The fix copies the user-mode value into a kernel-local variable before validation and reuses that copy on the privileged path, eliminating the double fetch. Customers receive the update through standard Avast and AVG product update channels. Additional vendor context is available via the Avast Bug Bounty Program.
Workarounds
- Block low-privilege users from launching arbitrary binaries through application control policies until the driver is patched.
- Where business policy allows, temporarily uninstall the Avast or AVG anti-rootkit component on systems that cannot be updated immediately.
- Apply least-privilege controls so that only trusted service accounts can interact with the vulnerable device object.
# Verify the installed aswArPot.sys version on a Windows host
powershell -Command "(Get-Item 'C:\\Windows\\System32\\drivers\\aswArPot.sys').VersionInfo.FileVersion"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
