CVE-2025-7019

June 12, 2026, 10:16 p.m.

5.5
Medium

Description

Stack overflow vulnerability in Avast Antivirus when scanning a malformed Office Open XML file may allow Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25020100. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

Product(s) Impacted

Vendor Product Versions
Avast
  • Avast Antivirus
  • Avast One
  • Avast Business Antivirus
  • <25020100
  • <25020100
  • <25020100
Avg
  • Avg Antivirus
  • <25020100
Nortonlifelock
  • Norton Antivirus
  • <25020100

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-121
Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a avast avast_antivirus <25020100 / / / / / / /
a avg avg_antivirus <25020100 / / / / / / /
a nortonlifelock norton_antivirus <25020100 / / / / / / /
a avast avast_one <25020100 / / / / / / /
a avast avast_business_antivirus <25020100 / / / / / / /

References

https://www.gendigital.com/us/en/contact-us/security-advisories/

Tags

CWE-121
[email protected]
2026-06-12
CVE-2025-7019

CVSS Score

5.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: June 12, 2026, 10:16 p.m.
Last Modified: June 12, 2026, 10:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.