CVE-2025-7011 Overview
CVE-2025-7011 is a heap out-of-bounds read vulnerability [CWE-125] in the scanning engine shared across Gen Digital antivirus products. The flaw triggers when the engine scans a malformed zip archive containing crafted XML content. Successful exploitation can lead to local code execution or denial-of-service of the antivirus process.
The issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux. Vulnerable virus definition builds range from 25020100 through builds before 25021208. Mitigation is delivered through the shared Gen Digital virus definition update stream.
Critical Impact
Attackers who place a malformed zip on a target system can crash or execute code inside the antivirus process, which typically runs with elevated privileges.
Affected Products
- Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux
- Gen Digital virus definition builds from 25020100 before 25021208
- Other Gen Digital products that embed the same shared scanning engine
Discovery Timeline
- 2026-06-12 - CVE-2025-7011 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7011
Vulnerability Analysis
The vulnerability is a heap out-of-bounds read in the archive scanning logic of the Gen Digital antivirus engine. When the engine parses a zip archive containing malformed XML, it reads memory beyond the bounds of an allocated heap buffer. The attack vector is local and requires user interaction, since the malformed archive must reach a path that the on-access or on-demand scanner inspects.
The condition affects confidentiality, integrity, and availability of the antivirus process. Because antivirus engines run with high privileges on Windows, macOS, and Linux, a successful read primitive combined with controlled heap layout can be staged into code execution. At minimum, the malformed archive crashes the scanner, disabling protection on the host.
Root Cause
The root cause is insufficient bounds checking within the XML parsing path used during zip archive inspection. The scanner trusts size or offset fields from the malformed input and reads past the end of a heap buffer, matching the pattern described by CWE-125: Out-of-bounds Read.
Attack Vector
An attacker delivers a malformed zip archive containing crafted XML to the target system through email attachments, downloads, removable media, or shared folders. When the on-access scanner or a user-initiated scan inspects the archive, the engine processes the embedded XML and triggers the out-of-bounds read. Local access and user interaction with the malicious file are required.
No verified public proof-of-concept code is available for this vulnerability. See the Gen Digital Security Advisory for vendor technical details.
Detection Methods for CVE-2025-7011
Indicators of Compromise
- Unexpected termination or repeated crashes of the Avast, AVG, or Norton scanning service on endpoints
- Presence of malformed zip archives containing oversized or truncated XML structures in user download or temp directories
- Antivirus engine error events referencing the archive or XML parser modules
Detection Strategies
- Inventory endpoints by installed Gen Digital product and current virus definition build, flagging any build between 25020100 and below 25021208
- Monitor process telemetry for abnormal exits, access violations, or hangs in the antivirus scanner process
- Inspect EDR file-write telemetry for zip archives that arrive from untrusted sources immediately before scanner crashes
Monitoring Recommendations
- Forward antivirus service health and crash events to a central SIEM and alert on repeated scanner restarts
- Track virus definition update status across the fleet to confirm builds reach 25021208 or later
- Correlate file delivery events from email and web gateways with scanner errors on the receiving host
How to Mitigate CVE-2025-7011
Immediate Actions Required
- Verify that all endpoints running Avast, AVG, Norton, Avast One, or Avast Business Antivirus have received virus definition build 25021208 or later
- Force a definition update on systems still reporting builds in the vulnerable range
- Restrict handling of untrusted zip archives until definitions are confirmed updated
Patch Information
Gen Digital remediated the issue through the shared virus definition update stream. Installations running definition build 25021208 or later are not vulnerable, regardless of which Gen Digital product consumes the stream. Refer to the Gen Digital Security Advisory for the authoritative fix information.
Workarounds
- Block delivery of zip archives from untrusted sources at email and web gateways until definitions are updated
- Disable on-access scanning of archives temporarily on critical systems where definition updates are delayed, accepting the reduced protection trade-off
- Educate users to avoid opening unsolicited zip attachments while remediation is in progress
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

