Security researchers from the SAFA team have discovered four critical kernel heap overflow vulnerabilities in Avast Antivirus, tracked collectively as CVE-2025-13032, that enable local attackers to escalate privileges to SYSTEM level on Windows systems. The flaws reside in the aswSnx kernel driver—Avast's core security component—and exploit unsafe handling of user-controlled data through double-fetch conditions and missing pointer validation in IOCTL handlers, potentially affecting millions of users relying on one of the world's most widely deployed antivirus solutions.
The SAFA research team methodically analyzed Avast's kernel driver architecture, identifying the aswSnx.sys driver as the primary attack surface due to its extensive exposure of user-accessible IOCTL (Input/Output Control) handlers. Unlike traditional antivirus implementations, Avast's architecture permits sandboxed processes—not regular user processes—to access the most critical IOCTL handlers, creating a unique exploitation pathway requiring sandbox manipulation rather than traditional privilege escalation.
Researchers reverse-engineered Avast's custom sandbox profile enforcement mechanism defined in snx_lconfig.xml, discovering that vulnerable IOCTL handlers remain accessible only to processes registered with specific sandbox flags such as fAutosandbox and scanhandle=1. This architectural choice, intended as a security boundary, inadvertently created a secondary attack vector requiring initial sandbox registration before exploiting kernel vulnerabilities.
The core vulnerability stems from unsafe IOCTL handler 0x82AC0204, which processes user-supplied UNICODE_STRING structures without properly capturing them in kernel memory. The vulnerable code fetches the Length field twice: once for allocation calculations and again for copy operations. This double-fetch condition enables attackers to alter the Length value between validation and actual copying operations, resulting in controlled kernel heap overflows.
Similar unsafe patterns affect the pString and pData fields within the same handler, where missing pointer validation creates additional exploitation opportunities. String function misuse and inadequate bounds checking compound the vulnerability surface, enabling attackers to write attacker-controlled data to arbitrary kernel heap locations.
Successful exploitation requires a multi-stage attack sequence:
Stage 1 - Sandbox Registration: The attacker leverages IOCTL 0x82AC0054 to register an attacker-controlled executable into Avast's sandbox configuration. Despite operating under read-only permission restrictions, this registration grants the attacker-controlled process access to vulnerable IOCTL handlers normally isolated from regular user processes.
Stage 2 - Vulnerability Triggering: Once registered within the sandbox, the attacker triggers vulnerable IOCTLs with carefully crafted payloads. The double-fetch conditions enable modifying the Length field after initial validation, causing the kernel to write more data than initially allocated, overflowing the kernel heap.
Stage 3 - Heap Exploitation: Controlled kernel heap overflows enable attackers to overwrite critical kernel data structures, including function pointers and privilege escalation tokens. Sophisticated heap grooming techniques allow deterministic exploitation.
Stage 4 - SYSTEM Privilege Achievement: Through heap overflow exploitation, attackers achieve arbitrary code execution in kernel context, enabling privilege escalation to SYSTEM level—the highest privilege available on Windows systems.
The CVE-2025-13032 vulnerability carries a CVSS v3.1 severity score of 9.9 (Critical), reflecting:
Low Attack Complexity: Exploitation requires straightforward IOCTL invocation and heap manipulation.
Low Privilege Requirements: Standard user-level processes can trigger the vulnerability after sandbox registration.
Complete CIA Impact: Privilege escalation enables unauthorized access (Confidentiality), modification (Integrity), and denial of service (Availability).
Scope Change: Vulnerability crosses privilege boundaries from user-level to kernel-level execution.
Avast responded swiftly to the SAFA disclosure, issuing patches in version 25.3 that address the vulnerability through:
Structure Capture to Kernel Memory: Copying user-supplied structures entirely to kernel memory before processing, eliminating double-fetch conditions.
Length Reuse: Reusing initial validated lengths throughout operations rather than re-fetching from user space.
Size Validation: Adding comprehensive size checks against fixed buffer dimensions before copy operations.
Pointer Validation: Implementing proper validity checks before dereferencing user-supplied pointers.
The vulnerability was officially published November 11, 2025, following approximately 12 days between initial acceptance and patch release—notably rapid for a critical kernel vulnerability.
SAFA's analysis identified shared code between Avast and other Gendigital products, suggesting potential vulnerability impact across the product family. While unverified for other products, organizations deploying multiple Gendigital security solutions should assess patch coverage across their entire deployment.
Organizations and individuals running Avast Antivirus should immediately:
Update to Version 25.3 or Later: Deploy the patched version to eliminate the vulnerability.
Limit Local User Privileges: Apply the principle of least privilege, restricting standard user accounts from unnecessary administrative capabilities.
Audit Privilege Escalation Attempts: Monitor security logs for IOCTL invocations and privilege escalation patterns that could indicate exploitation attempts.
Enable Automatic Updates: Configure automatic patching to receive security updates without manual intervention.
The discovery underscores a persistent challenge in security software development: antivirus drivers inherently operate at kernel privilege level to provide effective threat detection. This privileged position creates substantial attack surface when kernel implementations contain memory safety vulnerabilities. Even mature, widely-deployed security tools remain vulnerable to careful kernel-level analysis and exploitation.