CVE-2025-7004 Overview
CVE-2025-7004 is a heap-based out-of-bounds write vulnerability in the Windows Portable Executable (PE) scanning logic shared across Gen Digital antivirus products. The flaw is triggered when the engine scans a malformed PE file, leading to memory corruption [CWE-787]. Successful exploitation allows local code execution or denial-of-service of the antivirus process. The vulnerable scanning logic ships through a shared virus definition update stream, so multiple Gen Digital products inherit the issue. Affected virus definition builds are those released before VPS 25040308.
Critical Impact
A malformed PE file processed by the antivirus engine can corrupt heap memory, enabling local code execution or termination of the antivirus process across Avast, AVG, and Norton product families on Windows, macOS, and Linux.
Affected Products
- Avast Antivirus, Avast One, and Avast Business Antivirus (Windows, macOS, Linux) with VPS builds before 25040308
- AVG Antivirus (Windows, macOS, Linux) with VPS builds before 25040308
- Norton Antivirus and other Gen Digital products embedding the shared scanning engine
Discovery Timeline
- 2026-06-12 - CVE-2025-7004 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7004
Vulnerability Analysis
The vulnerability resides in the Windows PE file parsing path of the Gen Digital antivirus scanning engine. When the engine processes a malformed PE structure, it writes past the bounds of a heap-allocated buffer. The condition maps to CWE-787 (Out-of-Bounds Write) and affects all consumer and business products that embed the shared engine. Because virus definition updates carry the scanning logic, the same fault appears across Avast, AVG, Norton, and Avast Business products on Windows, macOS, and Linux. Exploitation requires the engine to scan attacker-supplied content, which routinely occurs through file system writes, downloads, email attachments, and real-time protection hooks. The outcome ranges from process crash to controlled memory corruption that an attacker may shape into local code execution within the antivirus process context.
Root Cause
The scanning routine fails to validate field sizes and offsets in the PE header structures before writing parsed data into a heap buffer. A crafted PE file supplies values that cause the writer to exceed the allocated region. The shared Gen Digital virus definition update stream propagates the affected logic to every product that consumes it.
Attack Vector
The attack vector is local and requires user interaction to place the malformed PE file in a location the antivirus scans. Real-time protection processes the file automatically when it appears on disk. An attacker delivers the file through standard channels such as a download, removable media, or shared folder. The antivirus engine typically runs with elevated privileges, so successful memory corruption inside the scanning process yields a privilege gain on the host.
No public proof-of-concept code is available. See the Gen Digital Security Advisory for vendor technical details.
Detection Methods for CVE-2025-7004
Indicators of Compromise
- Unexpected crashes, restarts, or hangs of antivirus service processes such as AvastSvc.exe, AVGSvc.exe, or Norton scanning components
- Creation or transfer of PE files with malformed headers shortly before antivirus process termination
- Virus definition (VPS) build number below 25040308 reported by the installed product
Detection Strategies
- Inventory all endpoints running Avast, AVG, Norton, or Avast Business products and record the active VPS build number
- Alert on antivirus service crash events in Windows Event Log (Source: Application Error, faulting module within the AV install path)
- Correlate file write events for newly dropped .exe, .dll, or .sys files with subsequent antivirus process exits
Monitoring Recommendations
- Forward antivirus process telemetry and Windows reliability events to a centralized analytics platform for cross-host correlation
- Track virus definition update success across the fleet and flag hosts that remain below VPS 25040308
- Monitor for child processes spawned by antivirus services, which would indicate post-exploitation behavior
How to Mitigate CVE-2025-7004
Immediate Actions Required
- Confirm the installed virus definition build is at or above VPS 25040308 on every endpoint running an affected Gen Digital product
- Force a manual virus definition update on hosts that have not pulled the corrected stream
- Restrict execution and write permissions on directories that accept untrusted PE files until the update is verified
Patch Information
Gen Digital remediated the issue through the shared virus definition update stream. Installations running VPS build 25040308 or later are not vulnerable, regardless of which Gen Digital product consumes the stream. Apply the latest virus definition update through the product's standard update mechanism. Refer to the Gen Digital Security Advisory for product-specific guidance.
Workarounds
- No supported configuration workaround removes the vulnerability without applying the VPS update
- Limit exposure by blocking inbound delivery of unsolicited PE files at the email gateway and web proxy until the update is confirmed
- Disable scanning of untrusted network shares only as a short-term containment step, recognizing that this reduces overall protection
# Verify the active virus definition build on Windows (Avast example)
# Path may vary by product; confirm in the product UI under About
reg query "HKLM\SOFTWARE\Avast Software\Avast" /v "VPS version"
# Trigger a definition update from the command line
"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

