Skip to main content
CVE Vulnerability Database

CVE-2025-7006: Avast Antivirus DoS Vulnerability

CVE-2025-7006 is a use-after-free DoS flaw in Avast Antivirus that crashes the antivirus process when scanning malformed PE files. This article covers technical details, affected products, and mitigation guidance.

Published:

CVE-2025-7006 Overview

CVE-2025-7006 is a use of stack memory after free vulnerability [CWE-590] in the Windows Portable Executable (PE) scanning logic shared across Gen Digital antivirus products. The flaw triggers when the scanning engine processes a malformed PE file, leading to denial of service of the antivirus process. Affected products include Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux. The vulnerable code path ships through a shared Gen Digital virus definition update stream, and any installation running virus definition builds prior to VPS 25022500 is exposed.

Critical Impact

A malformed PE file can crash the antivirus scanning process, disabling real-time protection until the service recovers and leaving endpoints unprotected during the outage.

Affected Products

  • Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux
  • Other Gen Digital products embedding the same scanning engine fed by the shared virus definition update stream
  • Any installation with virus definition build below VPS 25022500

Discovery Timeline

  • 2026-06-12 - CVE-2025-7006 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7006

Vulnerability Analysis

The vulnerability resides in the PE file parsing routine used by the shared Gen Digital antivirus engine. When the scanner processes a crafted, malformed Windows PE binary, the parser references a stack-allocated buffer after its lifetime has ended. This results in undefined behavior and crashes the antivirus scanning process, producing a denial of service condition. The flaw is classified under [CWE-590] (Free of Memory Not on the Heap), reflecting the misuse of stack memory in a manner analogous to use-after-free patterns. Exploitation does not yield code execution, information disclosure, or integrity loss based on the published advisory.

Root Cause

The parser retains a pointer or reference to data residing on the stack frame of a function that has already returned. When subsequent scanning logic dereferences that reference, the stack region has been reclaimed or overwritten by later calls. Malformed PE structures, such as inconsistent section headers or oversized fields, drive the parser down a code path where this dangling stack reference is consumed.

Attack Vector

The attack requires local delivery of a malformed PE file and user interaction in the form of file access or download that triggers the on-access scanner. A successful trigger crashes the antivirus process, breaking real-time protection coverage until the service restarts. The advisory does not document remote network exploitation, and no public proof-of-concept or in-the-wild exploitation is reported.

No verified public exploit code is available. Refer to the Gen Digital Security Advisory for vendor technical details.

Detection Methods for CVE-2025-7006

Indicators of Compromise

  • Unexpected crashes or restarts of Avast, AVG, or Norton antivirus scanning processes correlated with file scanning events
  • Windows Application or system event logs showing faulting module entries tied to the antivirus engine when a specific file is accessed
  • Endpoints reporting virus definition builds below VPS 25022500 while processing files from untrusted sources

Detection Strategies

  • Inventory endpoints to identify installations of affected Gen Digital antivirus products and compare virus definition builds against VPS 25022500
  • Correlate antivirus service crash events with recent file write or download activity to surface candidate malformed PE samples
  • Capture and analyze any PE file that consistently reproduces a scanner crash, treating it as a likely trigger artifact

Monitoring Recommendations

  • Monitor antivirus service health telemetry and alert on abnormal termination of the scanning process
  • Track virus definition build versions across the fleet and flag hosts that fall behind the fixed VPS 25022500 baseline
  • Watch for repeated scan failures on the same file path, which may indicate a malformed PE used to trigger the defect

How to Mitigate CVE-2025-7006

Immediate Actions Required

  • Confirm that the virus definition update channel is active and that endpoints have received build VPS 25022500 or later
  • Force a definition update on hosts running affected Avast, AVG, Norton, Avast One, or Avast Business Antivirus installations
  • Restart the antivirus service on any host where the scanning process has crashed to restore real-time protection

Patch Information

Mitigation ships through the shared Gen Digital virus definition update stream. Installations at or above virus definition build VPS 25022500 are not vulnerable, regardless of which product consumes the stream. No standalone product binary update is required. Consult the Gen Digital Security Advisory for the authoritative remediation guidance.

Workarounds

  • Restrict execution and download of untrusted PE files on affected endpoints until the definition update is deployed
  • Block ingress of executable attachments at the email gateway and web proxy as a temporary control
  • Ensure endpoint management policies enforce automatic virus definition updates so the fix propagates without manual intervention
bash
# Verify Avast/AVG virus definition build on Windows
"C:\Program Files\Avast Software\Avast\ashCmd.exe" /version

# Trigger an immediate definition update (Avast/AVG)
"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /update

# Confirm build is at or above VPS 25022500

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.