CVE-2025-7009 Overview
CVE-2025-7009 is a heap buffer out-of-bounds read vulnerability [CWE-125] in the malformed Windows Portable Executable (PE) file scanning logic shared across Gen Digital antivirus products. The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux. Attackers can trigger local code execution or crash the antivirus process by supplying a crafted PE file to the scanner. The vulnerable logic ships through the shared Gen Digital virus definition update stream. Builds at or above VPS 25021310 are not vulnerable.
Critical Impact
A crafted PE file processed by the affected scanner can lead to local code execution or denial-of-service of the antivirus process, undermining the security tool itself.
Affected Products
- Avast Antivirus, Avast One, and Avast Business Antivirus (Windows, macOS, Linux) before VPS 25021310
- AVG Antivirus (Windows, macOS, Linux) before VPS 25021310
- Norton Antivirus and other Gen Digital products embedding the same scanning engine
Discovery Timeline
- 2026-06-12 - CVE-2025-7009 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7009
Vulnerability Analysis
The vulnerability resides in the PE file parsing routine used by the Gen Digital scanning engine. When the scanner processes a malformed Windows PE file, it reads beyond the bounds of an allocated heap buffer. The condition is classified as an Out-of-Bounds Read [CWE-125] and arises during normal scanning, meaning the attacker does not need to invoke the scanner directly.
Because antivirus engines typically scan files automatically on access, write, or download, the attack surface extends to any path that writes a PE file to disk on a protected host. The shared definition stream means a single defective parser impacts every Gen Digital product consuming the engine.
Root Cause
The scanner trusts size or offset fields embedded inside the PE structure without sufficient validation against the actual allocated buffer length. A crafted file with manipulated header values causes the parser to dereference memory beyond the heap allocation. Depending on adjacent memory layout, the read can leak data, corrupt control flow, or crash the scanning process.
Attack Vector
Exploitation requires local access and user interaction to introduce the malformed PE file to a location the antivirus monitors. Common vectors include drive-by downloads, email attachments saved to disk, USB media, or files written by another local process. Once the antivirus engine scans the file, the out-of-bounds read executes in the context of the privileged scanning process. Successful exploitation yields code execution at high privilege or terminates the antivirus, disabling endpoint protection.
No verified public proof-of-concept code is available. See the Gen Digital Security Advisory for vendor-supplied technical context.
Detection Methods for CVE-2025-7009
Indicators of Compromise
- Unexpected crashes or restarts of Avast, AVG, or Norton antivirus service processes on protected hosts
- Antivirus engine logs reporting parser exceptions or access violations while scanning PE files
- Sudden disabling of real-time protection coinciding with the appearance of new executables on disk
Detection Strategies
- Inventory installed Gen Digital antivirus products and query their virus definition version (VPS) build numbers against the fixed build 25021310
- Monitor endpoint telemetry for abnormal child processes spawned by antivirus service binaries
- Correlate file-write events involving PE files with subsequent antivirus process termination events
Monitoring Recommendations
- Forward antivirus application logs and Windows Application event logs to a central SIEM for parser-error correlation
- Alert on service stop or crash events for Avast, AVG, and Norton service names
- Track VPS definition build versions across the fleet and flag endpoints lagging behind 25021310
How to Mitigate CVE-2025-7009
Immediate Actions Required
- Verify that all endpoints running Avast, AVG, Norton, Avast One, or Avast Business Antivirus have received virus definition build 25021310 or later
- Confirm the automatic virus definition update channel is enabled and reaching all managed endpoints
- Investigate any host where the antivirus service has crashed unexpectedly since the affected builds shipped
Patch Information
Gen Digital remediated the issue through the shared virus definition update stream. Installations running VPS build 25021310 or later are not vulnerable, regardless of which Gen Digital product consumes the stream. No installer upgrade is required when the definition update has applied successfully. Confirmation steps are documented in the Gen Digital Security Advisory.
Workarounds
- Restrict the introduction of untrusted PE files to protected endpoints through application control and removable media policies
- Enforce least-privilege user accounts to reduce the impact of any local code execution against the antivirus process
- Until the VPS update applies, monitor antivirus health closely and quarantine hosts that fail to receive definition updates
# Verify Avast VPS definition build on Windows
"C:\Program Files\Avast Software\Avast\AvastUI.exe" /info
# Compare reported VPS build to 25021310 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

