Critical Vulnerabilities in Avast Antivirus Allow Privilege Escalation
Security researchers from the SAFA team have identified four critical kernel heap overflow vulnerabilities in Avast Antivirus, all linked to the aswSnx kernel driver. These vulnerabilities, collectively assigned CVE-2025-13032, could enable local attackers to escalate their privileges to SYSTEM level on Windows 11 systems upon successful exploitation.
The research primarily focused on Avast’s sandbox feature, designed to isolate untrusted processes. To access the vulnerable code paths, the team analyzed and manipulated Avast’s custom sandbox profile. They discovered that the most critical IOCTL (Input/Output Control) handlers in aswSnx are accessible only to processes within the sandbox, not to regular user processes.
By examining Avast’s kernel drivers and IOCTL interfaces, the researchers identified aswSnx as a significant target due to its numerous user-accessible IOCTL handlers. Within these handlers, they found several instances where user-controlled data from user space was improperly managed in kernel space. Notably, multiple double fetch conditions allowed the length of user-supplied strings to be altered between validation, allocation, and copy operations, leading to controlled kernel heap overflows.
Additional issues included unsafe use of string functions and missing pointer validation, which could be exploited to cause local denial-of-service attacks. In total, the team reported four kernel heap overflow vulnerabilities and two local system denial-of-service issues affecting Avast version 25.2.9898.0 and potentially other Gendigital products sharing the same driver code.
Exploiting these vulnerabilities required an attacker to first register a controlled process into the Avast sandbox via a specific IOCTL that updates the sandbox configuration. Once inside the sandbox, the attacker could trigger the vulnerable IOCTLs and achieve local privilege escalation to SYSTEM level.
Avast responded promptly, issuing patches that corrected the double-fetch patterns, enforced proper bounds checking on string operations, and added missing validity checks before dereferencing user pointers. According to the timeline shared by SAFA, most vulnerabilities were fixed within approximately 12 days of initial acceptance, with CVE-2025-13032 officially published on November 11, 2025.
The SAFA team emphasized that these findings demonstrate that serious kernel flaws can still be discovered in widely used security tools through careful manual checks and innovative techniques.
