SAFA researchers uncovered four kernel heap overflow vulnerabilities in Avast Antivirus’s aswSnx.sys driver, designated CVE-2025-13032, affecting versions before 25.3 on Windows.
These flaws originate from double-fetch issues in IOCTL handling, allow local attackers to trigger pool overflows for privilege escalation to SYSTEM.
The vulnerabilities require sandbox manipulation to access the attack surface, marking a reversal from typical sandbox escape scenarios.
Research Approach
SAFA targeted Avast due to its widespread deployment and rich kernel attack surface via user-accessible drivers, such as aswSnx, which exposes numerous IOCTL handlers under permissive ACLs.
Analysis focused on kernel components processing user-controlled data, prioritizing those with high IOCTL counts for efficiency in a time-limited audit.
Reverse engineering revealed shared code across Gendigital products, potentially broadening impact, though unverified.
Manual auditing, combined with heuristics such as tracing ProbeForRead calls, quickly pinpointed flaws in IOCTL 0x82AC0204, which processes user-supplied UNICODE_STRING structures without properly capturing them in kernel memory.
The driver fetches the Length field twice once for allocation and again for copying enabling attackers to alter it mid-operation for controlled heap overflows.
Similar issues affect the pString and pData fields, including missing pointer validation that leads to DoS.
The aswSnx driver enforces a custom sandbox via snx_lconfig.xml, restricting vulnerable IOCTLs to profiled processes with flags like fAutosandbox and scanhandle=1.
Standard processes lack access, necessitating config manipulation through IOCTL 0x82AC0054, which registers executables under read-only permissions.
This allowed generating a sandboxed exploit.exe to trigger crashes and confirm primitives.
Additional flaws emerged in the same handler: loop-based double-fetches on strings for length calculation and allocation, and snprintf misuse during process termination, copying wide strings to fixed buffers.
A pData variant repeats the pattern with separate sizing iterations before memcpy. These yield user-controlled overflows and DoS via invalid pointers.
Avast addressed the issues in version 25.3 by capturing structures to kernel memory, reusing initial lengths, adding size checks against fixed buffers, and validating pointers.
CVSS v3.1 scores it at 9.9 (Critical) due to low complexity, low privileges needed, and full CIA impact via scope change.
SAFA demonstrated LPE on the latest Windows 11, proving its viability despite sandboxing.
Organizations should update immediately, limit local privileges, and audit logs for escalation attempts. This underscores persistent risks in AV kernel drivers, even with defenses.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.