CVE-2022-26522
Double Fetch Vulnerability in Avast AVG Anti Rootkit Driver
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| avast | avg | 12.1 |
| avast | avg | 22.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-26522 is a vulnerability in the Avast and AVG Windows Anti Rootkit driver, specifically in the socket connection handler of the aswArPot.sys driver before version 22.1. It involves a race condition and a double fetch issue related to the Process Environment Block (PEB) structure, where an attacker can manipulate the Length field of the CommandLine structure. This leads to improper memory allocation, allowing local attackers to execute arbitrary code in kernel mode or cause a denial of service through memory corruption and operating system crashes.
The flaw can be triggered by initiating a socket connection, enabling attackers to escalate privileges from a non-administrator user to kernel-level access. This can allow them to disable security products, overwrite system components, corrupt the OS, or perform malicious operations without detection.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows local attackers to escalate their privileges to kernel-level access. With such access, attackers can disable security software, overwrite critical system components, corrupt the operating system, or carry out malicious activities undetected.
- Potential arbitrary code execution in kernel mode.
- Denial of service through memory corruption and OS crashes.
- Disabling of security products.
- Corruption or modification of system components.
- Possible exploitation in sandbox escapes or second-stage browser attacks.
The risk is significant for both individual users and enterprises, especially if the affected software is not updated to the fixed version 22.1.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability CVE-2022-26522 involves the Avast and AVG Anti Rootkit driver aswArPot.sys and can be triggered by initiating a socket connection. Detection would involve checking for the presence and version of the affected driver (before version 22.1) on the system.
Since the vulnerability is local and related to kernel mode code execution via a race condition in the driver, network-based detection is unlikely to be effective.
To detect if the vulnerable driver is present, you can run commands to check the installed Avast or AVG version and the driver version, for example on Windows:
- Use PowerShell to check installed Avast/AVG version: Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like '*Avast*' -or $_.DisplayName -like '*AVG*' } | Select-Object DisplayName, DisplayVersion
- Check loaded drivers and their versions: driverquery /v | findstr aswArPot
If the driver version is older than 22.1, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update Avast or AVG antivirus products to version 22.1 or later, where the vulnerability has been fixed.
For users with air-gapped or on-premise installations that do not receive automatic updates, manually applying the patch or upgrading to the fixed version is critical.
Until the update is applied, restrict local user access to systems running vulnerable versions to reduce the risk of local privilege escalation.
Monitor systems for unusual activity that could indicate exploitation attempts, such as unexpected crashes or kernel mode errors related to aswArPot.sys.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Avast and AVG's Anti Rootkit driver allows local attackers to escalate privileges to kernel mode, potentially disabling security products, corrupting the operating system, or performing malicious operations undetected.
Such unauthorized access and control over a system could lead to breaches of sensitive data or system integrity, which may impact compliance with standards and regulations like GDPR or HIPAA that require protection of personal and health information.
Failure to patch this vulnerability, especially in enterprise environments, could increase the risk of data breaches or system compromise, thereby affecting an organization's ability to meet regulatory requirements for data security and privacy.