Flaws in Avast, AVG Antiviruses Could Have Facilitated Attacks on Millions of Devices

Researchers at endpoint security firm SentinelOne have discovered two potentially serious vulnerabilities in antivirus products from Avast and AVG.

According to SentinelOne, the two vulnerabilities, tracked as CVE-2022-26522 and CVE-2022-26523, impacted both Avast and AVG antiviruses — Avast acquired AVG in 2016 and the flaws affect a shared anti-rootkit driver.

The security holes were reported to Avast in December and they were patched in February with the release of version 22.1.

Both SentinelOne and Avast said they have not seen any attacks exploiting these vulnerabilities.

“Avast and AVG users were automatically updated and are protected against any risk of exploitation, although we have not seen the vulnerabilities abused in the wild. We recommend our Avast and AVG users constantly update their software to the latest version to be protected,” Avast told SecurityWeek in a statement.

“Coordinated disclosure is an excellent way of preventing risks from manifesting into attacks, and we encourage participation in our bug bounty program,” the antivirus firm added.

However, SentinelOne pointed out that air-gapped or on-premises installations that are not automatically updated could still be vulnerable, and users have been advised to ensure that the patches are installed as soon as possible.

CVE-2022-26522 and CVE-2022-26523 appear to have been introduced with the release of Avast 12.1 in January 2012.

Considering that the flaws have been present in the Avast antivirus for a decade, SentinelOne estimates that millions of users were at risk, and warned that malicious actors could still seek out those users whose antiviruses may not have been updated.

SentinelOne has released technical details for both vulnerabilities, which have been rated “high severity” and which allow an attacker with limited privileges on the targeted system to execute code in kernel mode and take complete control of the device.

“Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation. For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities,” SentinelOne said.

The company added, “Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products.”

Related: High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices

Related: Vulnerability Prompts Avast to Disable Emulator Used by Antivirus

Related: ESET Patches High-Severity Vulnerability in Windows Applications