Security researchers from the SAFA team have uncovered four kernel heap overflow vulnerabilities in Avast Antivirus, all traced to the aswSnx kernel driver.
The flaws, now tracked collectively as CVE-2025-13032, could allow a local attacker to escalate privileges to SYSTEM on Windows 11 if successfully exploited.
The research focused on Avast’s sandbox implementation, a component designed to isolate untrusted processes.
Avast Sandbox Escape Vulnerability
To reach the vulnerable code paths, the team first had to understand and manipulate Avast’s custom sandbox profile.
Since the most critical IOCTL handlers in aswSnx are accessible only to sandboxed processes, not to regular user processes.
By analyzing Avast’s kernel drivers and IOCTL interfaces, the researchers identified aswSnx as the most promising target due to its large number of user-accessible IOCTL handlers.
Within these handlers, SAFA found several cases where user-controlled data from user space was improperly handled in kernel space.
In particular, multiple “double fetch” conditions allowed the length of user-supplied strings to be changed between validation, allocation, and copy operations, leading to controlled kernel heap overflows.
Additional issues included unsafe use of string functions and missing pointer validation, which could be exploited to cause local denial-of-service attacks.
Altogether, the team reported four kernel heap overflow vulnerabilities and two local system DoS issues affecting Avast 25.2.9898.0 and potentially other Gendigital products that share the same driver code.
Exploiting these bugs required first registering an attacker-controlled process into the Avast sandbox via a specific IOCTL that updates the sandbox configuration.
Once inside the sandbox, the attacker could trigger the vulnerable IOCTLs and achieve local privilege escalation to SYSTEM. Avast responded quickly, issuing patches that corrected the double-fetch patterns.
Enforce proper bounds checking on string operations, and add missing validity checks before dereferencing user pointers.
According to the timeline shared by SAFA, most vulnerabilities were fixed within about 12 days of initial acceptance, with CVE-2025-13032 officially published on November 11, 2025.
The SAFA team says these findings show that serious kernel flaws can still be discovered in widely used security tools through careful manual checks and innovative techniques.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
