CVE-2025-7005 Overview
CVE-2025-7005 is an uncontrolled recursion vulnerability [CWE-674] in the scanning engine shared by Gen Digital antivirus products. A malformed Windows Portable Executable (PE) file can trigger unbounded recursive parsing in the scanner. The recursion exhausts stack memory and crashes the antivirus process, producing a local denial-of-service condition.
The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux. All virus definition builds prior to VPS 25031700 are vulnerable. The fix ships through the shared Gen Digital virus definition update stream, so any product consuming the updated stream is no longer vulnerable.
Critical Impact
A user-supplied malformed PE file crashes the antivirus scanning process, disabling real-time protection until the service restarts.
Affected Products
- Avast Antivirus, AVG Antivirus, and Avast One on Windows, macOS, and Linux (VPS builds before 25031700)
- Norton Antivirus on Windows, macOS, and Linux (VPS builds before 25031700)
- Avast Business Antivirus and other Gen Digital products embedding the same scanning engine
Discovery Timeline
- 2026-06-12 - CVE-2025-7005 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7005
Vulnerability Analysis
The vulnerability resides in the PE file parser inside the Gen Digital scanning engine. When the scanner encounters a malformed PE structure, it follows nested references without enforcing a recursion depth limit. Each nested element triggers another recursive call, growing the call stack until the operating system terminates the process.
Because the scanner inspects every file the system touches, an attacker only needs to place the malformed PE where the on-access scanner reads it. The crash ends the scanning process, which removes real-time protection until the service is restarted or recovered by its watchdog.
The flaw does not expose memory contents or allow code execution. The impact is confined to availability of the antivirus product, mapped by the CVSS vector to local attack vector with user interaction required.
Root Cause
The parser implements a recursive descent over PE structures without bounding recursion depth. A crafted file can declare deeply nested or self-referencing elements that consume thread stack space until a stack overflow terminates the scanning process. The condition matches [CWE-674: Uncontrolled Recursion].
Attack Vector
Exploitation is local. An attacker must place the malformed PE on a target system in a location the scanner inspects, such as a download folder, removable media, an email attachment opened by the user, or a shared file location. User interaction is required to deliver or open the file. No authentication or elevated privileges are needed.
No verified proof-of-concept code is published. Refer to the Gen Digital Security Advisory for vendor-supplied technical context.
Detection Methods for CVE-2025-7005
Indicators of Compromise
- Unexpected termination of AvastSvc.exe, avgsvc.exe, NortonSecurity.exe, or related scanning service processes on endpoints
- Windows Application or service event logs recording stack overflow exceptions in the Gen Digital scanning module
- Real-time protection status reporting as disabled or degraded after a recent file write or download
Detection Strategies
- Alert on repeated crashes or restarts of the antivirus scanning service within short time windows
- Correlate antivirus process termination events with file write events to identify the triggering PE artifact
- Inventory endpoints to identify hosts running VPS definitions below build 25031700
Monitoring Recommendations
- Forward antivirus service health and process lifecycle events to a centralized log platform for correlation
- Track virus definition build numbers across the fleet and alert on deployments older than VPS 25031700
- Monitor for newly written PE files immediately preceding scanner crash events to capture the malformed sample for analysis
How to Mitigate CVE-2025-7005
Immediate Actions Required
- Confirm that affected Avast, AVG, Norton, Avast One, and Avast Business Antivirus installations are receiving virus definition updates
- Verify the deployed VPS build is at or above 25031700 on every Windows, macOS, and Linux endpoint
- Investigate endpoints that show recent antivirus service crashes to identify any triggering files
Patch Information
Gen Digital delivered the fix through the shared virus definition update stream. Installations running VPS build 25031700 or later are not vulnerable, regardless of which Gen Digital product consumes the stream. See the Gen Digital Security Advisory for product-specific guidance.
Workarounds
- Ensure automatic virus definition updates are enabled so the corrected scanning logic is delivered immediately
- Restrict execution of untrusted PE files from removable media and email attachments through application control policies
- Enable service recovery options so the antivirus scanning process restarts automatically if it terminates unexpectedly
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

