Security researchers from the SAFA team have identified kernel heap overflow vulnerabilities within Avast Antivirus that posed a security risk on Windows 11.
Vulnerabilities and Exploits
On 2025-12-06, it was revealed that four flaws were present in the aswSnx kernel driver of Avast Antivirus. Labeled as CVE-2025-13032, these vulnerabilities could enable a local attacker to escalate privileges to SYSTEM.
- Avast's sandbox implementation was exploited via unsafe string handling and other flaws.
- The vulnerabilities involved double-fetch conditions allowing kernel heap overflows.
- Exploitation required an attacker to register a process in Avast's sandbox.
- CVE-2025-13032 was documented on 2025-11-11 after initial disclosure.
Researchers highlighted the potential danger of such vulnerabilities if left unpatched.
Avast's Response and Mitigation
Avast promptly issued patches addressing these critical vulnerabilities. The updates were released approximately 12 days after identifying the issues, correcting unsafe patterns and enforcing better checks.
The company stated that the patches include corrected double-fetch patterns, improved bounds-checking, and added pointer validity checks, effectively mitigating the outlined risks.
Implications for Security Tools
The discoveries underline that even widely trusted security tools can harbor significant flaws. SAFA's findings emphasize the necessity for constant scrutiny and manual analysis of security software.
By addressing these vulnerabilities, Avast reduces the risk of privilege escalations on systems running Windows 11, thus enhancing overall user security.
