CVE-2025-7005 - Vulnerability Details

- Avast antivirus infinite recursion when scanning a malformed PE file

Description

Uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process.

This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25031700.

The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

Published: 2026-06-12

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Uncontrolled recursion in Avast Antivirus when scanning a malformed PE file causes the antivirus process to consume excessive stack resources, leading to a denial‑of‑service. The flaw is a classic CWE‑674 recursion bug. An attacker can trigger the DoS by offering a specially crafted Windows PE file for the product to analyze.

Affected Systems

The vulnerability affects all Gen Digital products that consume the same virus‑definition stream – Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus – on Windows, macOS, and Linux. Only builds before the virus‑definition update VPS 25031700 are vulnerable; later builds are not affected. The flaw exists in the shared scanning logic delivered via the common definition stream.

Risk and Exploitability

With a CVSS score of 5.5 the risk is moderate. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack scenario is local – an attacker would need to supply the malformed PE file to the machine, so it cannot be exploited remotely without additional foothold. Once the file is processed the antivirus process terminates, but system functionality remains otherwise intact.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Gen Digital

Avast Antivirus

affected

Version	Status	Constraints
`0`	affected	< 25031700

Gen Digital

AVG Antivirus

affected

Version	Status	Constraints
`0`	affected	< 25031700

Gen Digital

Norton Antivirus

affected

Version	Status	Constraints
`0`	affected	< 25031700

Gen Digital

Avast One

affected

Version	Status	Constraints
`0`	affected	< 25031700

Gen Digital

Avast Business Antivirus

affected

Version	Status	Constraints
`0`	affected	< 25031700

No data.

No data available yet.

Remediation

Vendor Solution

Install virus definitions VPS 25031700 or any later virus-definition update. All builds at or above VPS 25031700 include the fix; staying current on definitions is required.

OpenCVE Recommended Actions

Install virus definitions VPS 25031700 or any later update to replace the vulnerable scanning logic.
Ensure all Gen Digital antivirus installations are updated to the latest definition stream, and enable automatic definition updates if available.
If an update cannot be applied immediately, temporarily disable scanning of new files or quarantine suspected files until the update is installed.
Restart the antivirus service after applying the update to clear any cached state.

Generated by OpenCVE AI on June 12, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.gendigital.com/us/en/contact-us/security-advisories/

History

Fri, 12 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25031700. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.
Title		Avast antivirus infinite recursion when scanning a malformed PE file
Weaknesses		CWE-674
References		https://www.gendigital.com/us/en/contact-us/security-advisories/
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GEN

Published: 2026-06-12T22:07:35.906Z

Updated: 2026-06-12T22:07:35.906Z

Reserved: 2025-07-02T07:43:53.447Z

Link: CVE-2025-7005

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T22:16:48.527

Modified: 2026-06-12T22:16:48.527

Link: CVE-2025-7005

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T23:30:08Z

Weaknesses

CWE-674
Uncontrolled Recursion

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object