CVE-2025-7006

June 12, 2026, 10:16 p.m.

5.5
Medium

Description

Use of stack memory after free vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25022500. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

Product(s) Impacted

Vendor Product Versions
Avast
  • Avast Antivirus
  • Avast One
  • Avast Business Antivirus
  • <25022500>
  • <25022500>
  • <25022500>
Avg
  • Avg Antivirus
  • <25022500>
Norton
  • Norton Antivirus
  • <25022500>

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-590
Free of Memory not on the Heap
The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a avast avast_antivirus <25022500> / / / / / / /
a avg avg_antivirus <25022500> / / / / / / /
a norton norton_antivirus <25022500> / / / / / / /
a avast avast_one <25022500> / / / / / / /
a avast avast_business_antivirus <25022500> / / / / / / /

References

https://www.gendigital.com/us/en/contact-us/security-advisories/

Tags

[email protected]
CWE-590
2026-06-12
CVE-2025-7006

CVSS Score

5.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: June 12, 2026, 10:16 p.m.
Last Modified: June 12, 2026, 10:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.