Description
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.
Published: 2026-05-08
Score: n/a
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a local attacker to trigger a double‑fetch condition in the aswArPot.sys driver, enabling arbitrary code execution in kernel mode or causing a denial of service through memory corruption and OS crash. This results in complete system compromise or interruption of service, as the kernel can be hijacked to perform privileged operations.

Affected Systems

Systems running Avast or AVG Windows Anti‑Rootkit drivers prior to version 22.1 are affected. The vulnerable driver, aswArPot.sys, is installed on Windows machines that have the legacy Avast/AVG anti‑rootkit component enabled.

Risk and Exploitability

Exploitability is limited to local attackers with execution privileges on the host, but the impact is severe: full kernel compromise. No EPSS score or KEV listing is available, yet the description indicates high severity due to kernel‑level control. Attackers could install rootkits or bypass system defenses if they can run code locally. The risk is considered high while the attack vector remains local.

Generated by OpenCVE AI on May 8, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest Avast/AVG release (22.1 or later) which replaces the vulnerable aswArPot.sys driver.
  • If an immediate update is not possible, uninstall or disable the anti‑rootkit feature that loads the driver until a patch is issued.
  • Restrict local system access and monitor for abnormal kernel crashes or unauthorized execution events to detect possible exploitation attempts.

Generated by OpenCVE AI on May 8, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title Local Kernel‑Mode Code Execution via Double‑Fetch in Avast/AVG Anti‑Rootkit Driver
Weaknesses CWE-416
CWE-84

Fri, 08 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T04:23:50.475Z

Reserved: 2022-03-07T00:00:00.000Z

Link: CVE-2022-26522

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T05:16:08.893

Modified: 2026-05-08T05:16:08.893

Link: CVE-2022-26522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T06:30:46Z

Weaknesses