Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Flaws in Avast, AVG Antiviruses Could Have Facilitated Attacks on Millions of Devices

Researchers at endpoint security firm SentinelOne have discovered two potentially serious vulnerabilities in antivirus products from Avast and AVG.

Researchers at endpoint security firm SentinelOne have discovered two potentially serious vulnerabilities in antivirus products from Avast and AVG.

According to SentinelOne, the two vulnerabilities, tracked as CVE-2022-26522 and CVE-2022-26523, impacted both Avast and AVG antiviruses — Avast acquired AVG in 2016 and the flaws affect a shared anti-rootkit driver.

The security holes were reported to Avast in December and they were patched in February with the release of version 22.1.

Both SentinelOne and Avast said they have not seen any attacks exploiting these vulnerabilities.

“Avast and AVG users were automatically updated and are protected against any risk of exploitation, although we have not seen the vulnerabilities abused in the wild. We recommend our Avast and AVG users constantly update their software to the latest version to be protected,” Avast told SecurityWeek in a statement.

“Coordinated disclosure is an excellent way of preventing risks from manifesting into attacks, and we encourage participation in our bug bounty program,” the antivirus firm added.

However, SentinelOne pointed out that air-gapped or on-premises installations that are not automatically updated could still be vulnerable, and users have been advised to ensure that the patches are installed as soon as possible.

CVE-2022-26522 and CVE-2022-26523 appear to have been introduced with the release of Avast 12.1 in January 2012.

Considering that the flaws have been present in the Avast antivirus for a decade, SentinelOne estimates that millions of users were at risk, and warned that malicious actors could still seek out those users whose antiviruses may not have been updated.

SentinelOne has released technical details for both vulnerabilities, which have been rated “high severity” and which allow an attacker with limited privileges on the targeted system to execute code in kernel mode and take complete control of the device.

“Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation. For example, the vulnerabilities could be exploited as part of a second stage browser attack or to perform a sandbox escape, among other possibilities,” SentinelOne said.

The company added, “Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products.”

Related: High-Severity Dell Driver Vulnerabilities Impact Hundreds of Millions of Devices

Related: Vulnerability Prompts Avast to Disable Emulator Used by Antivirus

Related: ESET Patches High-Severity Vulnerability in Windows Applications

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.