CVE-2026-27750
Received Received - Intake
TOCTOU Vulnerability in Avira Optimizer Enables Privilege Escalation

Publication date: 2026-03-05

Last updated on: 2026-04-01

Assigner: VulnCheck

Description
Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This may result in deletion of protected files or directories and can lead to local privilege escalation, denial of service, or system integrity compromise depending on the affected target.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27750
EUVD
EUVD-2026-9822
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
avira internet_security to 1.1.114.3113 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27750 is a time-of-check time-of-use (TOCTOU) race condition vulnerability found in the Optimizer component of Avira Internet Security.

A privileged service running with SYSTEM-level permissions first identifies directories for cleanup during a scan phase and later deletes them in a separate cleanup phase without revalidating the target paths.

A local attacker can exploit the time gap between these phases by replacing a previously scanned directory with a junction or reparse point before deletion occurs.

This causes the privileged process to delete unintended system locations, including protected files or directories.

Impact Analysis

The vulnerability can lead to deletion of protected files or directories by a privileged process.

This may result in local privilege escalation, denial of service, or compromise of system integrity depending on the affected target.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': "To mitigate the CVE-2026-27750 vulnerability, it is important to prevent exploitation of the TOCTOU race condition in Avira Internet Security's Optimizer component."}, {'type': 'list_item', 'content': 'Avoid running the vulnerable Avira Internet Security versions until a patch or update is applied.'}, {'type': 'list_item', 'content': 'Check for and apply any security updates or patches provided by Avira that address this vulnerability.'}, {'type': 'list_item', 'content': 'Limit local user permissions to reduce the risk of a local attacker exploiting the vulnerability.'}, {'type': 'list_item', 'content': 'Monitor system directories for suspicious junctions or reparse points that could be used to exploit the deletion process.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart