Description
Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This may result in deletion of protected files or directories and can lead to local privilege escalation, denial of service, or system integrity compromise depending on the affected target.
Published: 2026-03-05
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Avira Internet Security includes a TOCTOU flaw within its Optimizer module. The privileged cleanup service, running as SYSTEM, first scans the file system and records directories slated for removal, then deletes them in a second phase without re‑validating the actual path. A local user can replace a scanned directory with a junction or reparse point before the delete step, causing the privileged process to erase an unintended target. The result can be deletion of protected files or directories, which may grant the attacker elevated privileges, cause data loss, or destabilize the system. This defect corresponds to CWE‑367.

Affected Systems

Gen Digital Inc.’s Avira Internet Security Suite for Windows versions older than 1.1.114.3113 is affected. The vulnerability exists in the Optimizer component and can be triggered on any Windows installation running the vulnerable product.

Risk and Exploitability

The severity rating of the issue is 7.8 on the standard scale, and the estimated public exploitation probability is below one percent. It is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker only needs local, non‑privileged access to create a junction or reparse point in a directory that the optimizer will later delete. When the privileged cleanup runs, the attacker can initiate unintended deletion of critical system files, potentially raising privileges or causing denial of service. Despite the low exploitation probability, the high impact of accidental deletion mandates an urgent response.

Generated by OpenCVE AI on April 16, 2026 at 12:23 UTC.

Remediation

Vendor Solution

Upgrade Avira Internet Security for Windows to version 1.1.114.3113 or later. Apply updates through the product's built-in updater or a fresh install from the vendor; see the release-notes reference in this record for current supported versions.

OpenCVE Recommended Actions

  • Upgrade Avira Internet Security to version 1.1.114.3113 or newer using the built‑in updater or by installing a fresh copy from the vendor.
  • Avoid creating junctions or reparse points in directories that the Avira optimizer will scan until the product is patched.
  • Monitor system logs for unexpected deletions and review the optimizer's cleanup behavior after the update to ensure the issue is resolved.

Generated by OpenCVE AI on April 16, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Fri, 13 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Avira internet Security
CPEs cpe:2.3:a:avira:internet_security:*:*:*:*:*:windows:*:*
Vendors & Products Avira internet Security

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Gen Digital
Gen Digital avira Internet Security
Vendors & Products Gen Digital
Gen Digital avira Internet Security

Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Avira
Avira avira Internet Security Suite
CPEs cpe:2.3:a:avira:avira_internet_security_suite:*:*:*:*:*:windows:*:*
Vendors & Products Avira
Avira avira Internet Security Suite

Thu, 05 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This may result in deletion of protected files or directories and can lead to local privilege escalation, denial of service, or system integrity compromise depending on the affected target.
Title Avira Internet Security Optimizer TOCTOU
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Avira Avira Internet Security Suite Internet Security
Gen Digital Avira Internet Security
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T14:38:35.968Z

Reserved: 2026-02-23T21:38:48.842Z

Link: CVE-2026-27750

cve-icon Vulnrichment

Updated: 2026-03-06T18:17:38.584Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T15:16:12.153

Modified: 2026-04-01T15:22:36.107

Link: CVE-2026-27750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses