Critical privilege escalation flaw reported in Avast and AVG Antivirus
Take action: If you're using Avast or AVG Antivirus, be aware that all versions before 25.3 have critical vulnerabilities that could let attackers take complete control of your system. Plan a quick update to version 25.3 or later through your antivirus software.
Learn More
Security researchers at SAFA Team are reporting a critical security vulnerabilities in Avast and AVG Antivirus products that could allow attackers to gain complete control over affected systems.
The set of vulnerabilities, collectively tracked as CVE-2025-13032 (CVSS score 9.9), consist of four distinct kernel heap overflow vulnerabilities and two local denial-of-service flaws in the aswSnx kernel driver:
- Primary Double Fetch Pool Overflow (IOCTL 0x82AC0204): When processing Unicode strings, the kernel allocates a buffer based on string length at one point, then copies data at another point, allowing attackers to change the length between operations and cause kernel heap pool overflow with controlled data
- String Length Double Fetch: Similar vulnerability when processing the pString input field where string length is calculated twice through null-byte iteration, enabling pool buffer overflow if the string size increases between calculations
- Pool Buffer Overflow During Process Termination: Misuse of the *snprintf API when copying user-provided strings into fixed-size kernel heap pool buffers during sandboxed process deregistration
- pData Field Double Fetch: Another double fetch issue while processing the pData field where user space strings are iterated twice to calculate size, resulting in different allocation and copy sizes
- Two Local Denial-of-Service Vulnerabilities: Missing ProbeForRead pointer validation checks that allow users to supply invalid pointers, causing kernel crashes
All versions of Avast Community Edition, Avast Enterprise Edition, and AVG Antivirus prior to version 25.3 on Windows platforms are affected.
Avast, owned by Gen Digital (which also owns AVG, Avira, and Norton/Symantec brands), released the first patched version on April 1, 2025, fixing most vulnerabilities just 12 days after initial acceptance on March 18, 2025. The remaining vulnerability was confirmed fixed by October 3, 2025, and CVE-2025-13032 was formally assigned and published on November 11, 2025.
Organizations using affected versions should immediately upgrade to Avast/AVG Antivirus version 25.3 or later.
