CVE-2025-7009 - Vulnerability Details

- Avast antivirus heap buffer OOB read when scanning a malformed PE file

Description

Heap buffer out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Local Execution of Code or Denial-of-Service of the antivirus process.

This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021310.

The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

Published: 2026-06-12

Score: 7.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a heap buffer out‑of‑bounds read that occurs when Avast and related Gen Digital antivirus products try to scan a malformed Windows PE file. The read can be exploited to execute code locally or to crash the antivirus process, resulting in a denial of service. The weakness corresponds to CWE‑125.

Affected Systems

The affected products are Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus running on Windows, macOS, and Linux. Only virus‑definition builds earlier than VPS 25021310 are vulnerable; all builds at or above that stream are safe.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate to high severity, but EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a local attacker who can place a crafted PE file on a system that will be scanned by the compromised antivirus. An exploit would require the victim to be running the affected product and to load the malicious file during a scan. Because the weakness is read‑only, the consequence is limited to code execution or a process crash, not a full system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Gen Digital

Avast Antivirus

affected

Version	Status	Constraints
`0`	affected	< 25021310

Gen Digital

AVG Antivirus

affected

Version	Status	Constraints
`0`	affected	< 25021310

Gen Digital

Norton Antivirus

affected

Version	Status	Constraints
`0`	affected	< 25021310

Gen Digital

Avast One

affected

Version	Status	Constraints
`0`	affected	< 25021310

Gen Digital

Avast Business Antivirus

affected

Version	Status	Constraints
`0`	affected	< 25021310

No data.

No data available yet.

Remediation

Vendor Solution

Install virus definitions VPS 25021310 or any later virus-definition update. All builds at or above VPS 25021310 include the fix; staying current on definitions is required.

OpenCVE Recommended Actions

Install the latest virus definition update stream (VPS 25021310 or newer) on all affected antivirus products.
Configure products to automatically check for and download fresh virus definitions.
If an immediate update cannot be applied, quarantine or delete any suspicious PE files to prevent them from being scanned until the update is installed.

Generated by OpenCVE AI on June 12, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.gendigital.com/us/en/contact-us/security-advisories/

History

Fri, 12 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Heap buffer out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021310. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.
Title		Avast antivirus heap buffer OOB read when scanning a malformed PE file
Weaknesses		CWE-125
References		https://www.gendigital.com/us/en/contact-us/security-advisories/
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GEN

Published: 2026-06-12T22:10:26.925Z

Updated: 2026-06-12T22:10:26.925Z

Reserved: 2025-07-02T07:50:52.477Z

Link: CVE-2025-7009

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T22:16:48.943

Modified: 2026-06-12T22:16:48.943

Link: CVE-2025-7009

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T23:30:08Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object