Skip to main content
CVE Vulnerability Database

CVE-2025-7019: Avast Antivirus DoS Vulnerability

CVE-2025-7019 is a stack overflow DoS vulnerability in Avast Antivirus affecting multiple Gen Digital products when scanning malformed Office Open XML files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7019 Overview

CVE-2025-7019 is a stack overflow vulnerability [CWE-121] in the file scanning engine shared across Gen Digital antivirus products. The flaw triggers when the scanner parses a malformed Office Open XML (OOXML) file, causing the antivirus process to crash. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream, meaning the same defect impacts multiple consumer and business products that embed the engine. The vulnerability requires local access and user interaction to deliver the malicious file to the scanner.

Critical Impact

A crafted OOXML document can crash the antivirus scanning process, producing a Denial-of-Service condition that suspends real-time protection until the service restarts.

Affected Products

  • Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux
  • Gen Digital products embedding the same scanning engine through the shared virus definition stream
  • All installations using virus definition builds before VPS 25020100

Discovery Timeline

  • 2026-06-12 - CVE-2025-7019 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7019

Vulnerability Analysis

The vulnerability is a stack-based buffer overflow [CWE-121] that occurs during parsing of malformed Office Open XML files. OOXML is a structured ZIP container holding XML parts that describe Word, Excel, and PowerPoint documents. When the scanning engine processes a specifically malformed OOXML structure, the parser writes beyond the bounds of a stack buffer.

Exploitation requires a local file to reach the on-access or on-demand scanner. The user must trigger the scan, either by saving, opening, or downloading the file into a monitored path. The result is loss of availability of the antivirus process. The vulnerability does not expose confidentiality or integrity of host data, and no code execution has been described in the advisory.

The defect lives inside parsing logic distributed through the shared Gen Digital virus definition channel rather than in product binaries. This distribution model means a single update build addresses the issue across every product consuming the stream.

Root Cause

The root cause is insufficient bounds checking within the OOXML parser inside the shared scanning engine. A malformed structural element in the container drives a stack write past the allocated buffer, producing the overflow condition tracked as CWE-121.

Attack Vector

The attack vector is local. An attacker delivers a malformed OOXML file to a target system through email attachments, removable media, network shares, or web downloads. When the antivirus engine inspects the file, the parser triggers the overflow and the scanning process terminates. Refer to the Gen Digital Security Advisory for parser-level technical details.

// No verified exploitation code is available.
// The malformed OOXML container causes the scanner's stack buffer to overflow during parsing,
// terminating the antivirus process.

Detection Methods for CVE-2025-7019

Indicators of Compromise

  • Unexpected termination or repeated crashes of Avast, AVG, Norton, or Avast Business antivirus processes shortly after a file scan event
  • OOXML files (.docx, .xlsx, .pptx) arriving from untrusted sources that consistently coincide with scanner failures
  • Antivirus service logs showing parser exceptions when handling Office documents prior to VPS build 25020100

Detection Strategies

  • Correlate antivirus process crash events with the file paths last submitted to the scanner to identify candidate malformed OOXML samples
  • Monitor endpoint telemetry for the absence of antivirus heartbeat following user interaction with newly delivered Office documents
  • Compare installed virus definition build numbers against VPS 25020100 across the fleet to identify exposed hosts

Monitoring Recommendations

  • Alert on antivirus service stop, restart, or crash events through EDR or system event collection
  • Track Office document delivery channels including email gateways and download proxies for high volumes of malformed OOXML files
  • Maintain centralized logging of virus definition build versions to confirm patch propagation

How to Mitigate CVE-2025-7019

Immediate Actions Required

  • Update all affected Gen Digital antivirus products to virus definition build VPS 25020100 or later
  • Verify that automatic virus definition updates are enabled and reaching every endpoint
  • Audit endpoints for outdated definition builds and force an update where required

Patch Information

Mitigation is delivered through the shared Gen Digital virus definition update stream. Installations at or above VPS build 25020100 are not vulnerable, regardless of which Gen Digital product consumes the stream. See the Gen Digital Security Advisory for the official notice and build references.

Workarounds

  • Restrict delivery of untrusted Office Open XML files through email and web gateways until definition updates complete
  • Confirm that the antivirus update service has network reachability to the Gen Digital definition servers
  • Restart the antivirus service after applying the updated VPS build to ensure the new parser logic is loaded
bash
# Verify virus definition build on Windows (Avast example)
"C:\Program Files\Avast Software\Avast\AvastUI.exe" /sched
# Confirm the reported VPS build is 25020100 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.