Skip to main content
CVE Vulnerability Database

CVE-2025-7008: Avast Antivirus Buffer Overflow Vulnerability

CVE-2025-7008 is a heap buffer overflow in Avast Antivirus affecting multiple Gen Digital products when scanning malformed PE files. This vulnerability enables code execution or denial-of-service. Learn the technical details.

Published:

CVE-2025-7008 Overview

CVE-2025-7008 is a heap buffer out-of-bounds read vulnerability [CWE-125] in the scanning engine used by Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus. The flaw triggers when the engine scans a malformed Windows Portable Executable (PE) file containing crafted .NET metadata. Successful exploitation can lead to local code execution or denial of service of the antivirus process. The affected scanning logic ships through the shared Gen Digital virus definition update stream, which feeds multiple consumer and business products embedding the same engine. Builds at or above VPS 25021310 are not vulnerable.

Critical Impact

A malformed .NET PE file scanned by the antivirus engine can corrupt memory in a privileged scanning process, enabling local code execution or termination of the security product.

Affected Products

  • Avast Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux with virus definitions before VPS 25021310
  • AVG Antivirus on Windows, macOS, and Linux with virus definitions before VPS 25021310
  • Norton Antivirus and other Gen Digital products embedding the same scanning engine

Discovery Timeline

  • 2026-06-12 - CVE-2025-7008 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7008

Vulnerability Analysis

The vulnerability resides in the scanning logic that parses Windows PE files containing .NET (CLI) metadata. When the engine processes a malformed PE structure, it reads beyond the bounds of a heap buffer. The out-of-bounds read can disclose adjacent heap memory, destabilize the scanning process, or be combined with secondary primitives to achieve local code execution within the antivirus process context. Antivirus engines typically run with elevated privileges, making any memory safety issue in their parsers a high-value target for local attackers and malware authors who can plant a file on disk for on-access scanning.

Root Cause

The root cause is improper bounds validation while traversing .NET metadata tables and streams inside a crafted PE file. The parser trusts attacker-controlled size or offset fields when reading metadata, dereferencing memory outside the allocated heap region. This pattern aligns with [CWE-125] Out-of-Bounds Read.

Attack Vector

An attacker with local access drops a malformed PE file on the target system. Real-time on-access scanning, scheduled scans, or manual scanning of the file triggers the vulnerable parsing path. User interaction is required to introduce the file or invoke a scan. No authentication to the antivirus product is required because the malicious input is the file itself.

No verified proof-of-concept code is publicly available. Technical reproduction details are described in the GenDigital Security Advisory.

Detection Methods for CVE-2025-7008

Indicators of Compromise

  • Unexpected crashes, restarts, or hangs of the Avast, AVG, or Norton scanning service
  • Creation of PE files with malformed or oversized .NET metadata directories in user-writable paths
  • Antivirus engine process spawning unexpected child processes or writing to non-standard locations

Detection Strategies

  • Monitor process telemetry for abnormal termination or memory faults in Gen Digital scanner processes
  • Hunt for newly written .exe or .dll files containing CLI headers with inconsistent metadata stream sizes
  • Correlate file write events with subsequent antivirus engine crashes within a short time window

Monitoring Recommendations

  • Collect and alert on Windows Application event log entries reporting faulting modules belonging to the antivirus engine
  • Forward endpoint process and file telemetry to a centralized data lake for retrospective hunting against the affected build range
  • Track virus definition build numbers across the fleet and alert on any host running a VPS below 25021310

How to Mitigate CVE-2025-7008

Immediate Actions Required

  • Confirm that all endpoints running Avast, AVG, Norton, Avast One, or Avast Business Antivirus have received virus definitions at or above VPS 25021310
  • Force a virus definition update on managed endpoints and validate the resulting build number
  • Restrict the ability of low-privileged users to drop arbitrary executables into shared or scanned directories

Patch Information

Gen Digital remediated the issue through the shared virus definition update stream. Installations with VPS build 25021310 or later are not vulnerable, regardless of which Gen Digital product consumes the stream. Refer to the GenDigital Security Advisory for the authoritative build information.

Workarounds

  • Ensure automatic virus definition updates are enabled and not blocked by network filtering
  • Limit local file drop locations and enforce application control to reduce the chance of malformed PE files reaching the scanner
  • Where update delivery is delayed, temporarily disable scanning of untrusted user-writable directories until the definition build is confirmed current
bash
# Verify current Avast/AVG virus definition build on Windows
reg query "HKLM\SOFTWARE\Avast Software\Avast" /v "VPS Version"

# Force a definition update via the Avast command-line interface
"C:\Program Files\Avast Software\Avast\AvastUI.exe" /updatedefs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.