CVE-2025-7011
Deferred Deferred - Pending Action

Heap out-of-bounds read in Avast Antivirus

Vulnerability report for CVE-2025-7011, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: NortonLifeLock Inc.

Description

Heap out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed zip file containing XML may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds from 25020100 before 25021208. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-02
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
avast avast_antivirus From 25020100 (inc) to 25021208 (exc)
avast avg_antivirus From 25020100 (inc) to 25021208 (exc)
norton_lifelock norton_antivirus From 25020100 (inc) to 25021208 (exc)
avast avast_one From 25020100 (inc) to 25021208 (exc)
avast avast_business_antivirus From 25020100 (inc) to 25021208 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap out-of-bounds read issue found in Avast Antivirus products when scanning a malformed zip file that contains XML data. It can lead to local execution of code or cause a denial-of-service condition in the antivirus process.

Impact Analysis

The vulnerability can allow an attacker to execute code locally on your system or cause the antivirus process to crash, resulting in denial-of-service. This could compromise the security of your device by bypassing antivirus protections or causing interruptions in antivirus functionality.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, or Avast Business Antivirus product is updated to virus definition build 25021208 or later.

Installations at or above this build are not vulnerable regardless of which product consumes the virus definition update stream.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-7011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart