CVE-2025-7010 Overview
CVE-2025-7010 is a stack overflow vulnerability caused by uncontrolled recursion [CWE-674] in the PDF scanning logic shared across multiple Gen Digital antivirus products. When the scanning engine processes a malformed PDF file, recursive parsing exhausts the available stack, terminating the antivirus process. This produces a denial-of-service (DoS) condition against the security product itself, leaving the host unprotected until the engine recovers. The affected logic ships through a shared Gen Digital virus definition update stream, so any product embedding the same engine is impacted until it consumes virus definition build VPS 25021208 or later.
Critical Impact
A malformed PDF processed by the antivirus engine crashes the scanning process, disabling on-access protection on Windows, macOS, and Linux endpoints.
Affected Products
- Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux
- Any Gen Digital product embedding the same shared scanning engine
- All virus definition builds prior to VPS 25021208
Discovery Timeline
- 2026-06-12 - CVE-2025-7010 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7010
Vulnerability Analysis
The flaw resides in the PDF parsing component of the shared Gen Digital scanning engine. PDF documents are inherently hierarchical, containing nested objects, streams, and cross-reference structures. The scanner walks these structures recursively without enforcing a depth limit, allowing an attacker-crafted PDF to drive the call stack until it overflows.
When the stack overflows, the scanning process terminates abnormally. Because the scanner runs as part of real-time protection, its crash interrupts on-access scanning until the service restarts. Repeated triggering produces a sustained DoS against the antivirus product.
Exploitation requires the malformed PDF to reach the scanner. This typically happens through file download, email attachment delivery, USB media, or directory access where on-access scanning inspects the file. The attack is local in nature and depends on user interaction or automatic file inspection.
Root Cause
The scanner's PDF object traversal logic lacks recursion depth bounds. Crafted PDFs containing deeply nested or self-referential object trees force the parser into runaway recursion. Each recursive frame consumes stack space until the operating system terminates the process. This pattern is classified under [CWE-674] Uncontrolled Recursion.
Attack Vector
The attacker delivers a malformed PDF to the target system through any channel that triggers antivirus inspection. No authentication is required, and exploitation succeeds when the scanner opens the file. The result is loss of availability for the antivirus process. The vulnerability does not provide code execution, data disclosure, or integrity impact based on the published advisory.
No public proof-of-concept or exploit in the wild has been reported, and the CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-7010
Indicators of Compromise
- Unexpected termination or repeated restarts of Avast, AVG, or Norton scanning service processes on endpoints
- Operating system crash dumps referencing stack overflow exceptions inside the antivirus engine
- PDF files arriving from untrusted sources immediately preceding antivirus process termination
Detection Strategies
- Monitor antivirus product health telemetry for abnormal process exits, service restarts, or scan engine errors
- Correlate PDF file open or download events with subsequent antivirus crashes in endpoint logs
- Inspect Windows Event Log, macOS unified logs, and Linux journald for crash entries naming the scanner binary
Monitoring Recommendations
- Track the deployed virus definition build version across the fleet and alert on installations below VPS 25021208
- Forward antivirus service status events to a centralized logging or SIEM platform for fleet-wide visibility
- Establish a baseline for normal scanner restart frequency and alert on deviations
How to Mitigate CVE-2025-7010
Immediate Actions Required
- Confirm that every endpoint has received virus definition build VPS 25021208 or later through the Gen Digital update channel
- Force a manual virus definition update on systems showing stale signatures
- Verify that automatic definition updates are enabled and reaching endpoints across Windows, macOS, and Linux
Patch Information
Gen Digital delivered the fix through the shared virus definition update stream. Installations running virus definition build VPS 25021208 or later are not vulnerable, regardless of which consumer product embeds the engine. Refer to the Gen Digital Security Advisory for additional vendor guidance.
Workarounds
- Restrict handling of PDF files from untrusted sources until the updated definitions are confirmed deployed
- Apply email gateway and web proxy filtering to block or quarantine suspicious PDF attachments
- Monitor antivirus service health and configure automatic service restart policies to limit DoS duration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

