CVE-2025-7006 Overview
CVE-2025-7006 is a use of stack memory after free vulnerability [CWE-590] in the Windows Portable Executable (PE) scanning logic shared across Gen Digital antivirus products. The flaw triggers when the scanning engine processes a malformed PE file, leading to denial of service of the antivirus process. Affected products include Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux. The vulnerable code path ships through a shared Gen Digital virus definition update stream, and any installation running virus definition builds prior to VPS 25022500 is exposed.
Critical Impact
A malformed PE file can crash the antivirus scanning process, disabling real-time protection until the service recovers and leaving endpoints unprotected during the outage.
Affected Products
- Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux
- Other Gen Digital products embedding the same scanning engine fed by the shared virus definition update stream
- Any installation with virus definition build below VPS 25022500
Discovery Timeline
- 2026-06-12 - CVE-2025-7006 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7006
Vulnerability Analysis
The vulnerability resides in the PE file parsing routine used by the shared Gen Digital antivirus engine. When the scanner processes a crafted, malformed Windows PE binary, the parser references a stack-allocated buffer after its lifetime has ended. This results in undefined behavior and crashes the antivirus scanning process, producing a denial of service condition. The flaw is classified under [CWE-590] (Free of Memory Not on the Heap), reflecting the misuse of stack memory in a manner analogous to use-after-free patterns. Exploitation does not yield code execution, information disclosure, or integrity loss based on the published advisory.
Root Cause
The parser retains a pointer or reference to data residing on the stack frame of a function that has already returned. When subsequent scanning logic dereferences that reference, the stack region has been reclaimed or overwritten by later calls. Malformed PE structures, such as inconsistent section headers or oversized fields, drive the parser down a code path where this dangling stack reference is consumed.
Attack Vector
The attack requires local delivery of a malformed PE file and user interaction in the form of file access or download that triggers the on-access scanner. A successful trigger crashes the antivirus process, breaking real-time protection coverage until the service restarts. The advisory does not document remote network exploitation, and no public proof-of-concept or in-the-wild exploitation is reported.
No verified public exploit code is available. Refer to the Gen Digital Security Advisory for vendor technical details.
Detection Methods for CVE-2025-7006
Indicators of Compromise
- Unexpected crashes or restarts of Avast, AVG, or Norton antivirus scanning processes correlated with file scanning events
- Windows Application or system event logs showing faulting module entries tied to the antivirus engine when a specific file is accessed
- Endpoints reporting virus definition builds below VPS 25022500 while processing files from untrusted sources
Detection Strategies
- Inventory endpoints to identify installations of affected Gen Digital antivirus products and compare virus definition builds against VPS 25022500
- Correlate antivirus service crash events with recent file write or download activity to surface candidate malformed PE samples
- Capture and analyze any PE file that consistently reproduces a scanner crash, treating it as a likely trigger artifact
Monitoring Recommendations
- Monitor antivirus service health telemetry and alert on abnormal termination of the scanning process
- Track virus definition build versions across the fleet and flag hosts that fall behind the fixed VPS 25022500 baseline
- Watch for repeated scan failures on the same file path, which may indicate a malformed PE used to trigger the defect
How to Mitigate CVE-2025-7006
Immediate Actions Required
- Confirm that the virus definition update channel is active and that endpoints have received build VPS 25022500 or later
- Force a definition update on hosts running affected Avast, AVG, Norton, Avast One, or Avast Business Antivirus installations
- Restart the antivirus service on any host where the scanning process has crashed to restore real-time protection
Patch Information
Mitigation ships through the shared Gen Digital virus definition update stream. Installations at or above virus definition build VPS 25022500 are not vulnerable, regardless of which product consumes the stream. No standalone product binary update is required. Consult the Gen Digital Security Advisory for the authoritative remediation guidance.
Workarounds
- Restrict execution and download of untrusted PE files on affected endpoints until the definition update is deployed
- Block ingress of executable attachments at the email gateway and web proxy as a temporary control
- Ensure endpoint management policies enforce automatic virus definition updates so the fix propagates without manual intervention
# Verify Avast/AVG virus definition build on Windows
"C:\Program Files\Avast Software\Avast\ashCmd.exe" /version
# Trigger an immediate definition update (Avast/AVG)
"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /update
# Confirm build is at or above VPS 25022500
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

