Safety researchers from the SAFA workforce have uncovered 4 kernel heap overflow vulnerabilities in Avast Antivirus, all traced to the aswSnx kernel driver.
The issues, now tracked collectively as CVE-2025-13032, might permit an area attacker to escalate privileges to SYSTEM on Home windows 11 if efficiently exploited.
The analysis targeted on Avast’s sandbox implementation, a part designed to isolate untrusted processes.
Avast Sandbox Escape Vulnerability
To achieve the weak code paths, the workforce first needed to perceive and manipulate Avast’s customized sandbox profile.
For the reason that most important IOCTL handlers in aswSnx are accessible solely to sandboxed processes, to not common person processes.
By analyzing Avast’s kernel drivers and IOCTL interfaces, the researchers recognized aswSnx as probably the most promising goal attributable to its giant variety of user-accessible IOCTL handlers.
Inside these handlers, SAFA discovered a number of circumstances the place user-controlled information from person house was improperly dealt with in kernel house.
Particularly, a number of “double fetch” situations allowed the size of user-supplied strings to be modified between validation, allocation, and replica operations, resulting in managed kernel heap overflows.
Extra points included unsafe use of string features and lacking pointer validation, which may very well be exploited to trigger native denial-of-service assaults.
Altogether, the workforce reported 4 kernel heap overflow vulnerabilities and two native system DoS points affecting Avast 25.2.9898.0 and probably different Gendigital merchandise that share the identical driver code.
Exploiting these bugs required first registering an attacker-controlled course of into the Avast sandbox through a selected IOCTL that updates the sandbox configuration.
As soon as contained in the sandbox, the attacker might set off the weak IOCTLs and obtain native privilege escalation to SYSTEM. Avast responded rapidly, issuing patches that corrected the double-fetch patterns.
Implement correct bounds checking on string operations, and add lacking validity checks earlier than dereferencing person pointers.
In line with the timeline shared by SAFA, most vulnerabilities had been mounted inside about 12 days of preliminary acceptance, with CVE-2025-13032 formally revealed on November 11, 2025.
The SAFA workforce says these findings present that severe kernel flaws can nonetheless be found in extensively used safety instruments by cautious guide checks and modern methods.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
