By rssfeeds-admin 
The discovery involves four distinct kernel heap overflow vulnerabilities within the aswSnx kernel driver, collectively assigned CVE-2025-13032.
The Attack Surface
Avast Antivirus includes multiple kernel drivers that interact with user applications through IOCTL (Input/Output Control) handlers.
Researchers identified that
The driver implements a sandbox mechanism designed to isolate untrusted processes and limit their system access.
The primary issue stems from “double fetch” vulnerabilities where the kernel reads user-controlled data twice without ensuring it remains unchanged between reads.
In one critical flaw, when processing Unicode strings, the kernel first allocates a buffer based on the string length at one point, then copies data at another point.
A malicious user can change the string length between these two operations, causing the kernel to allocate a smaller buffer than needed for the copy operation. This results in a kernel heap pool overflow with attacker-controlled data.
The vulnerable IOCTL handler (0x82AC0204) fails to copy the user-supplied structure into kernel memory before processing it. This creates a time-of-check-time-of-use (TOCTOU) condition that attackers can exploit.
Reaching the vulnerabilities presented an unusual challenge: the targeted IOCTL is only accessible to sandboxed processes.
Unlike typical privilege escalation attacks that break out of sandboxes, researchers had to break in first.
By reverse-engineering the aswSnx driver, they discovered that process sandboxing is controlled via a configuration file at %ProgramData%Avast SoftwareAvastsnx_lconfig.xml.
Researchers identified that IOCTL 0x82AC0054 allows registering new processes to the sandbox configuration with read-only permissions.
By setting specific flags and the process name, they could place their exploit process within the sandbox and then trigger the vulnerability.
Beyond the primary double fetch flaw, researchers discovered three additional variants affecting different string encoding types, plus two local denial-of-service vulnerabilities caused by missing pointer validation checks.
Avast responded remarkably quickly, releasing patches within 12 days of vulnerability acceptance well above industry standards.
The vendor fixed most issues by removing second length calculations and adding proper size verification before memory operations. CVE-2025-13032 was formally assigned in November 2025.
This research demonstrates that even mature, widely-deployed security software can contain critical flaws exploitable with limited resources and opportunistic vulnerability hunting techniques.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Avast Antivirus Sandbox Vulnerabilities Let Attackers Escalate Privileges appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.