A high-severity vulnerability has been identified in Avast Antivirus for MacOS and Linux. An attacker can exploit this flaw by sending a specially crafted file to a target system, causing the antivirus software to crash and creating a temporary gap in security protection. This denial-of-service condition leaves the system vulnerable to other malware until the antivirus service is restarted.

The vulnerability is a NULL Pointer Dereference that occurs within the antivirus scanning engine on MacOS and Linux platforms. When the antivirus software attempts to scan a malformed Windows Portable Executable (PE) file, the engine tries to access a memory address that has not been properly initialized (a NULL pointer). This illegal memory access causes an unhandled exception, leading to the immediate termination and crash of the antivirus process. An attacker can trigger this vulnerability by delivering the malformed PE file to a target system via email, web download, or other vectors, resulting in a denial of service of the security software.

This vulnerability is rated as High severity with a CVSS score of 7.5. The primary business impact is a denial of service for a critical security control. Exploitation of this flaw will crash the antivirus service, leaving endpoints temporarily without active malware scanning and real-time protection. This creates a window of opportunity for attackers to deploy secondary payloads, such as ransomware, spyware, or remote access trojans, which would otherwise be detected and blocked. Repeated attacks could cause system instability and require manual intervention to restore protection, impacting user productivity and increasing the organization's risk of a more significant security breach.

Immediate Action: Apply the security updates provided by the vendor across all affected MacOS and Linux endpoints immediately to patch the vulnerability. After deployment, verify that the antivirus service is running and stable. Review system and application logs for evidence of recent antivirus process crashes which may indicate prior exploitation attempts.

Proactive Monitoring: Monitor endpoint security logs for unexpected crashes or restarts of the Avast antivirus service. Configure Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) systems to generate alerts for repeated termination of the antivirus process. Network security monitoring can be used to inspect for an unusual influx of PE files targeting non-Windows systems.

Compensating Controls: If immediate patching is not feasible, implement stricter filtering at email gateways and web proxies to block or quarantine executable files (PE files) from untrusted sources. Ensure other security layers, such as host-based firewalls and EDR solutions, are enabled and fully updated to provide defense-in-depth and potentially detect follow-on malicious activity.

Public Exploit Available: false

Given the High severity rating (CVSS 7.5) and the critical role of antivirus software in an organization's defense-in-depth strategy, we recommend immediate action. The primary risk is the temporary disabling of endpoint protection, which could serve as a gateway for more damaging attacks. Although this vulnerability is not currently listed on the CISA KEV list, its potential impact on security posture warrants prioritizing the deployment of the vendor-provided patches to all affected systems.