“`html
Experts in security from the SAFA group have revealed four kernel heap overflow weaknesses in Avast Antivirus, all linked to the aswSnx kernel driver.
The vulnerabilities, currently cataloged as CVE-2025-13032, might enable a local attacker to elevate privileges to SYSTEM on Windows 11 if successfully exploited.
The investigation concentrated on Avast’s sandbox functionality, a feature intended to isolate untrustworthy processes.
Avast Sandbox Escape Weakness
To access the vulnerable code segments, the group first needed to comprehend and manipulate Avast’s tailored sandbox profile.
Since the most significant IOCTL handlers in aswSnx are only available to sandboxed processes, not to ordinary user processes.
Through examination of Avast’s kernel drivers and IOCTL interfaces, the analysts pinpointed aswSnx as the most promising target due to its high number of user-accessible IOCTL handlers.
Within these handlers, SAFA discovered multiple instances where user-controlled data from user space was improperly managed in kernel space.
Specifically, various “double fetch” scenarios permitted the length of user-provided strings to be modified between validation, allocation, and copy operations, resulting in controlled kernel heap overflows.
Additional concerns involved unsafe utilization of string functions and lack of pointer validation, which could be exploited to lead to local denial-of-service attacks.
In total, the group disclosed four kernel heap overflow vulnerabilities and two local system DoS issues impacting Avast 25.2.9898.0 and potentially other Gendigital products utilizing the same driver code.
Exploiting these flaws required the initial registration of an attacker-controlled process into the Avast sandbox via a particular IOCTL that adjusts the sandbox configuration.
Once within the sandbox, the attacker could invoke the vulnerable IOCTLs and achieve local privilege escalation to SYSTEM. Avast acted swiftly, releasing updates that resolved the double-fetch issues.
Implement proper bounds checking on string operations, and add missing validity checks prior to dereferencing user pointers.
According to the timeline provided by SAFA, most vulnerabilities were remedied within approximately 12 days of initial review, with CVE-2025-13032 officially published on November 11, 2025.
The SAFA group states these discoveries illustrate that severe kernel vulnerabilities can still be uncovered in commonly utilized security tools via careful manual evaluations and creative techniques.
“`