A double-fetch condition exists in the socket connection handler of the aswArPot.sys module used by Avast and AVG Windows Anti Rootkit drivers. The race condition, classified as CWE-400, allows a local attacker who can execute code with elevated rights to read a value before it is modified, leading to memory corruption. The corruption can be leveraged to execute arbitrary code in kernel mode, effectively giving the attacker full system control, or to trigger a kernel exception that causes a system crash. Because the vulnerability operates in kernel space, a successful exploitation results in a complete compromise of the affected system.

The flaw is present in the Avast and AVG Anti Rootkit drivers shipped before the 22.1 release. The affected component is the aswArPot.sys file, specifically the socket handling routine located at offset 0xbb94. All installations of Avast or AVG using a pre-22.1 version of the anti-rootkit driver are vulnerable.

The vulnerability is local-only and requires the attacker to have the ability to run code with elevated privileges on the target machine. The CVSS score of 5.3 indicates moderate risk, and the Exploit Prediction Scoring System (EPSS) score is 2%, indicating a low but non-zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, and no public exploit code has been reported to date. Nonetheless, the potential for kernel-level code execution makes it a high-impact security issue for any user running a pre-22.1 Avast or AVG installation.