The socket connection handler in the aswArPot.sys component of the Avast and AVG Windows Anti Rootkit driver contains a double‑fetch condition, a race‑condition flaw (CWE‑362) that can be triggered by a local attacker. The double‑fetch allows a user with local privileges to read a value before it is altered, leading to memory corruption. The corruption can then be leveraged to execute arbitrary code in kernel mode or to cause a memory fault that crashes the operating system. Since the exploitation occurs in kernel space, a successful attack effectively compromises the entire system.

Both Avast and AVG provide a Windows Anti Rootkit driver that includes the aswArPot.sys module. Versions of these drivers released before the 22.1 update are vulnerable. The flaw specifically targets the socket connection handling routine at the offset 0xbb94 within the driver.

The vulnerability is local‑only and requires the attacker to run code with elevated rights on the target machine. Once the double‑fetch condition is triggered, the attacker can achieve full kernel‑level execution or force a system crash. No public exploit code exists at this time, and the EPSS value is unavailable, but the potential impact is high. The issue is not listed in CISA’s KEV catalog, and it is not known to be actively exploited in the wild. Nevertheless, the feasibility of arbitrary code execution in kernel mode makes it a critical security concern for any user running a pre‑22.1 Avast or AVG installation.