CVE-2022-26523
Double Fetch Vulnerability in Avast and AVG Anti Rootkit Driver
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| avast | avg_windows_anti_rootkit_driver | to 22.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Avast and AVG Anti Rootkit driver allows local attackers to escalate privileges to kernel-level access, potentially disabling security products, corrupting the operating system, or performing malicious operations undetected.
Such unauthorized access and control over a system could lead to breaches of sensitive data or disruption of system integrity, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information.
However, the provided resources do not explicitly discuss the direct impact of this vulnerability on compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves the Avast and AVG Anti Rootkit driver aswArPot.sys before version 22.1, which allows local attackers to execute arbitrary code or cause denial of service via a double fetch vulnerability triggered by socket connections.
Detection can focus on identifying the presence and version of the vulnerable driver on the system. Checking if the Avast or AVG Anti Rootkit driver aswArPot.sys is installed and whether it is older than version 22.1 is essential.
- Use PowerShell or command line to query the driver version, for example: `Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\aswArPot' | Select-Object -Property DisplayName, ImagePath, Description`
- Check loaded drivers with `driverquery /v | findstr aswArPot` to see if the vulnerable driver is active.
- Monitor for suspicious local socket connection attempts that could trigger the vulnerability, although no specific detection commands are provided.
No explicit detection commands or network signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update Avast and AVG antivirus products to version 22.1 or later, where the vulnerability has been fixed.
For users with air-gapped or on-premise installations, manually applying the patch or update is critical since the fix may not be delivered automatically.
Until the update is applied, restrict local user access to systems running the vulnerable driver to prevent exploitation.
Monitor systems for unusual behavior or crashes related to the aswArPot.sys driver, which could indicate exploitation attempts.
Can you explain this vulnerability to me?
This vulnerability exists in the socket connection handler of the aswArPot.sys driver, which is part of the Avast and AVG Windows Anti Rootkit software. It is caused by a double fetch issue at a specific memory location (aswArPot+0xbb94). This flaw allows a local attacker to either execute arbitrary code with kernel-level privileges or cause a denial of service by triggering memory corruption and crashing the operating system.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including allowing a local attacker to run arbitrary code in kernel mode, which can lead to full system compromise. Alternatively, it can cause a denial of service by corrupting memory and crashing the operating system, resulting in system instability or downtime.