Fast Facts

• Four kernel vulnerabilities in Avast Antivirus’s aswSnx.sys driver (CVE-2025-13032) threaten Windows systems before version 25.3.
• The flaws allow local attackers to escalate privileges to SYSTEM - the highest level on Windows.
• Attackers must manipulate Avast’s sandbox, a rare twist on typical sandbox-escape attacks.
• Patches have been released; updating Avast is strongly advised for all users.
• Similar vulnerabilities in antivirus drivers have caused major incidents in the past, raising industry-wide concerns.

The Bodyguard’s Blind Spot

Imagine hiring a security guard who, instead of keeping intruders out, sometimes opens the back door to let them in. That’s the unsettling reality for users of Avast Antivirus, after researchers at SAFA uncovered a quartet of dangerous flaws lurking in the software’s very heart - the kernel driver aswSnx.sys.

These vulnerabilities, now tracked as CVE-2025-13032, allow any attacker with local access to manipulate Avast’s “sandbox” - a feature meant to contain threats - and instead use it as a launchpad to seize full control of the system. The exploit is a reversal of the usual story, where attackers try to break out of sandboxes. Here, the sandbox itself becomes the gateway to power.

How the Flaw Works

At the core is a subtle programming error known as a “double-fetch”: when the driver fetches user-supplied data twice, an attacker can sneakily change it between reads. This lets them cause a “heap overflow,” overrunning a portion of the system’s memory - think of pouring too much water into a cup, causing it to spill into neighboring, sensitive areas. By exploiting this, a determined user can escalate their privileges to SYSTEM, the digital equivalent of becoming the computer’s all-powerful administrator.

The exposed attack surface comes from the way Avast allows certain processes - those running inside its sandbox - to access powerful driver commands (IOCTLs). By manipulating configuration files and crafting a malicious program, researchers demonstrated a working exploit even on the latest Windows 11, bypassing the very safeguards meant to stop malware.

Lessons from Past and Present

Antivirus software has long been a tempting target for hackers, precisely because it runs with elevated privileges. Similar design flaws have haunted the industry for years: in 2020, for example, security firm SentinelOne exposed critical driver bugs in multiple antivirus products, some of which remained unpatched for months. The latest Avast case echoes these incidents, underlining how quickly attackers adapt and how even “defensive” code can become a liability.

With Avast’s driver code shared across Gendigital’s product line, the potential blast radius could be wider than initially thought. While Avast moved quickly to patch the flaw in version 25.3, the incident is a wake-up call for organizations and individuals alike: trust, but verify - even your protectors. Regular updates, limiting local privileges, and active monitoring remain the best defenses.

WIKICROOK

• Kernel driver: A kernel driver is a core program that enables direct interaction between an operating system and hardware, managing key functions at a low level.
• Sandbox: A sandbox is a secure, isolated environment where experts safely analyze suspicious files or programs without endangering real systems or data.
• Privilege escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.
• Heap overflow: A heap overflow is a programming flaw where excess data overwrites a memory area, risking data corruption and enabling potential cyberattacks.
• IOCTL (Input/Output Control): IOCTLs are special commands that let software communicate with device drivers, enabling advanced control and information retrieval from hardware devices.