CVE-2025-8351 Overview
A heap-based buffer overflow and out-of-bounds read vulnerability has been identified in Avast Antivirus on MacOS. When scanning a malformed file, this vulnerability may allow local execution of code or denial-of-service of the antivirus engine process. The vulnerability stems from improper memory handling during the file scanning process, potentially enabling attackers to compromise the security software itself.
Critical Impact
This vulnerability allows attackers to execute arbitrary code or crash the antivirus engine by crafting malicious files, potentially disabling endpoint protection and leaving systems undefended against further attacks.
Affected Products
- Avast Antivirus for MacOS versions 8.3.70.94 to 8.3.70.98 (exclusive)
Discovery Timeline
- 2025-12-01 - CVE CVE-2025-8351 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-8351
Vulnerability Analysis
This vulnerability involves CWE-122 (Heap-based Buffer Overflow), a memory corruption flaw that occurs when the antivirus engine processes specially crafted malformed files. During the file scanning operation, the engine fails to properly validate input boundaries, leading to memory corruption on the heap. This can result in either arbitrary code execution with the privileges of the antivirus process or a denial-of-service condition that terminates the scanning engine.
The heap-based nature of this vulnerability means that exploitation requires careful memory manipulation. An attacker would need to craft a file that, when scanned by the Avast engine, triggers the overflow condition. Since antivirus software typically runs with elevated privileges to perform deep system scans, successful exploitation could provide significant system access.
Root Cause
The root cause lies in insufficient bounds checking during file parsing operations within the Avast Antivirus scanning engine. When processing certain malformed file structures, the engine allocates a heap buffer that is inadequate for the actual data being processed, leading to an out-of-bounds write condition. Additionally, an out-of-bounds read vulnerability allows memory disclosure, which could aid in bypassing security mitigations like ASLR.
Attack Vector
The attack is network-accessible according to the CVSS vector, though it requires high attack complexity. An attacker would need to deliver a malicious file to the target system where Avast Antivirus is installed. This could be accomplished through various means such as email attachments, malicious downloads, or network file shares. When the antivirus engine scans the malformed file—either through real-time protection or manual scanning—the vulnerability is triggered.
The exploitation does not require user interaction beyond having the file present on the system where it will be scanned. The scope is changed, meaning successful exploitation can affect resources beyond the vulnerable component itself.
Detection Methods for CVE-2025-8351
Indicators of Compromise
- Unexpected crashes or restarts of the Avast Antivirus engine process (com.avast.daemon)
- Presence of unusually structured or corrupted files with unexpected file headers
- Abnormal memory usage patterns or memory access violations in antivirus logs
- Suspicious process spawning from the Avast engine process
Detection Strategies
- Monitor for repeated antivirus engine crashes or service restarts using system logs
- Implement file integrity monitoring to detect delivery of potentially malicious trigger files
- Review MacOS crash reports (~/Library/Logs/DiagnosticReports/) for Avast-related crashes
- Deploy behavioral analysis to detect anomalous process behavior following antivirus engine interactions
Monitoring Recommendations
- Enable enhanced logging on endpoint protection platforms to capture scanning errors
- Configure alerting for antivirus service failures or unexpected terminations
- Monitor for process injection attempts or unusual child process creation from antivirus components
- Implement network monitoring to detect delivery vectors for malicious files
How to Mitigate CVE-2025-8351
Immediate Actions Required
- Update Avast Antivirus to version 8.3.70.98 or later immediately
- Review antivirus logs for signs of exploitation attempts or unusual crashes
- Temporarily quarantine suspicious files pending investigation
- Consider enabling additional endpoint protection layers while patching is completed
Patch Information
Gen Digital (the parent company of Avast) has released a security update addressing this vulnerability. Users should update Avast Antivirus on MacOS to version 8.3.70.98 or later. For detailed information, refer to the Gen Digital Security Advisory.
Workarounds
- If immediate patching is not possible, consider temporarily disabling real-time file scanning for untrusted file sources
- Implement network-level filtering to block known malicious file types
- Use alternative endpoint protection solutions until the vulnerable Avast version can be updated
- Restrict access to file download and sharing capabilities for high-risk users
# Verify Avast Antivirus version on MacOS
# Open Avast Security application
# Navigate to Avast Security > About Avast Security
# Confirm version is 8.3.70.98 or higher
# Check for recent Avast crashes in system logs
log show --predicate 'process == "com.avast.daemon"' --last 24h | grep -i "crash\|error\|fault"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
