CVE-2022-26522
Awaiting Analysis Awaiting Analysis - Queue
Double Fetch Vulnerability in Avast AVG Anti Rootkit Driver

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: MITRE

Description
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2022-26522
EUVD
EUVD-2022-31079
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
avast avg 12.1
avast avg 22.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

The vulnerability CVE-2022-26522 involves the Avast and AVG Anti Rootkit driver aswArPot.sys and can be triggered by initiating a socket connection. Detection would involve checking for the presence and version of the affected driver (before version 22.1) on the system.

Since the vulnerability is local and related to kernel mode code execution via a race condition in the driver, network-based detection is unlikely to be effective.

To detect if the vulnerable driver is present, you can run commands to check the installed Avast or AVG version and the driver version, for example on Windows:

  • Use PowerShell to check installed Avast/AVG version: Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like '*Avast*' -or $_.DisplayName -like '*AVG*' } | Select-Object DisplayName, DisplayVersion
  • Check loaded drivers and their versions: driverquery /v | findstr aswArPot

If the driver version is older than 22.1, the system is vulnerable.

Mitigation Strategies

The primary mitigation step is to update Avast or AVG antivirus products to version 22.1 or later, where the vulnerability has been fixed.

For users with air-gapped or on-premise installations that do not receive automatic updates, manually applying the patch or upgrading to the fixed version is critical.

Until the update is applied, restrict local user access to systems running vulnerable versions to reduce the risk of local privilege escalation.

Monitor systems for unusual activity that could indicate exploitation attempts, such as unexpected crashes or kernel mode errors related to aswArPot.sys.

Compliance Impact

The vulnerability in Avast and AVG's Anti Rootkit driver allows local attackers to escalate privileges to kernel mode, potentially disabling security products, corrupting the operating system, or performing malicious operations undetected.

Such unauthorized access and control over a system could lead to breaches of sensitive data or system integrity, which may impact compliance with standards and regulations like GDPR or HIPAA that require protection of personal and health information.

Failure to patch this vulnerability, especially in enterprise environments, could increase the risk of data breaches or system compromise, thereby affecting an organization's ability to meet regulatory requirements for data security and privacy.

Executive Summary

CVE-2022-26522 is a vulnerability in the Avast and AVG Windows Anti Rootkit driver, specifically in the socket connection handler of the aswArPot.sys driver before version 22.1. It involves a race condition and a double fetch issue related to the Process Environment Block (PEB) structure, where an attacker can manipulate the Length field of the CommandLine structure. This leads to improper memory allocation, allowing local attackers to execute arbitrary code in kernel mode or cause a denial of service through memory corruption and operating system crashes.

The flaw can be triggered by initiating a socket connection, enabling attackers to escalate privileges from a non-administrator user to kernel-level access. This can allow them to disable security products, overwrite system components, corrupt the OS, or perform malicious operations without detection.

Impact Analysis

This vulnerability can have severe impacts because it allows local attackers to escalate their privileges to kernel-level access. With such access, attackers can disable security software, overwrite critical system components, corrupt the operating system, or carry out malicious activities undetected.

  • Potential arbitrary code execution in kernel mode.
  • Denial of service through memory corruption and OS crashes.
  • Disabling of security products.
  • Corruption or modification of system components.
  • Possible exploitation in sandbox escapes or second-stage browser attacks.

The risk is significant for both individual users and enterprises, especially if the affected software is not updated to the fixed version 22.1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-26522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart