Skip to main content
CVE Vulnerability Database

CVE-2025-7011: Avast Antivirus Heap RCE Vulnerability

CVE-2025-7011 is a heap out-of-bounds read flaw in Avast Antivirus that may allow local code execution or denial-of-service when scanning malformed zip files. This article covers technical details, affected products, and mitigation.

Published:

CVE-2025-7011 Overview

CVE-2025-7011 is a heap out-of-bounds read vulnerability [CWE-125] in the scanning engine shared across Gen Digital antivirus products. The flaw triggers when the engine scans a malformed zip archive containing crafted XML content. Successful exploitation can lead to local code execution or denial-of-service of the antivirus process.

The issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux. Vulnerable virus definition builds range from 25020100 through builds before 25021208. Mitigation is delivered through the shared Gen Digital virus definition update stream.

Critical Impact

Attackers who place a malformed zip on a target system can crash or execute code inside the antivirus process, which typically runs with elevated privileges.

Affected Products

  • Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux
  • Gen Digital virus definition builds from 25020100 before 25021208
  • Other Gen Digital products that embed the same shared scanning engine

Discovery Timeline

  • 2026-06-12 - CVE-2025-7011 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7011

Vulnerability Analysis

The vulnerability is a heap out-of-bounds read in the archive scanning logic of the Gen Digital antivirus engine. When the engine parses a zip archive containing malformed XML, it reads memory beyond the bounds of an allocated heap buffer. The attack vector is local and requires user interaction, since the malformed archive must reach a path that the on-access or on-demand scanner inspects.

The condition affects confidentiality, integrity, and availability of the antivirus process. Because antivirus engines run with high privileges on Windows, macOS, and Linux, a successful read primitive combined with controlled heap layout can be staged into code execution. At minimum, the malformed archive crashes the scanner, disabling protection on the host.

Root Cause

The root cause is insufficient bounds checking within the XML parsing path used during zip archive inspection. The scanner trusts size or offset fields from the malformed input and reads past the end of a heap buffer, matching the pattern described by CWE-125: Out-of-bounds Read.

Attack Vector

An attacker delivers a malformed zip archive containing crafted XML to the target system through email attachments, downloads, removable media, or shared folders. When the on-access scanner or a user-initiated scan inspects the archive, the engine processes the embedded XML and triggers the out-of-bounds read. Local access and user interaction with the malicious file are required.

No verified public proof-of-concept code is available for this vulnerability. See the Gen Digital Security Advisory for vendor technical details.

Detection Methods for CVE-2025-7011

Indicators of Compromise

  • Unexpected termination or repeated crashes of the Avast, AVG, or Norton scanning service on endpoints
  • Presence of malformed zip archives containing oversized or truncated XML structures in user download or temp directories
  • Antivirus engine error events referencing the archive or XML parser modules

Detection Strategies

  • Inventory endpoints by installed Gen Digital product and current virus definition build, flagging any build between 25020100 and below 25021208
  • Monitor process telemetry for abnormal exits, access violations, or hangs in the antivirus scanner process
  • Inspect EDR file-write telemetry for zip archives that arrive from untrusted sources immediately before scanner crashes

Monitoring Recommendations

  • Forward antivirus service health and crash events to a central SIEM and alert on repeated scanner restarts
  • Track virus definition update status across the fleet to confirm builds reach 25021208 or later
  • Correlate file delivery events from email and web gateways with scanner errors on the receiving host

How to Mitigate CVE-2025-7011

Immediate Actions Required

  • Verify that all endpoints running Avast, AVG, Norton, Avast One, or Avast Business Antivirus have received virus definition build 25021208 or later
  • Force a definition update on systems still reporting builds in the vulnerable range
  • Restrict handling of untrusted zip archives until definitions are confirmed updated

Patch Information

Gen Digital remediated the issue through the shared virus definition update stream. Installations running definition build 25021208 or later are not vulnerable, regardless of which Gen Digital product consumes the stream. Refer to the Gen Digital Security Advisory for the authoritative fix information.

Workarounds

  • Block delivery of zip archives from untrusted sources at email and web gateways until definitions are updated
  • Disable on-access scanning of archives temporarily on critical systems where definition updates are delayed, accepting the reduced protection trade-off
  • Educate users to avoid opening unsolicited zip attachments while remediation is in progress

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.