SentinelLabs, SentinelOne’s threat research team, has discovered two serious flaws in Avast and AVG. The vulnerabilities in the antivirus programs went undiscovered for a decade and could potentially affect tens of millions of users.
So far, SentinelLabs has found no evidence of abuse.
The vulnerabilities in Avast and AVG (acquired by Avast in 2016) allow attackers to modify privileges so they can disable security products, compromise the operating system, or perform malicious operations unimpeded.
According to Avast, the security risk has crept into Avast 12.1, the software version released in January 2012. Given the longevity of this flaw by over a decade, SentinelOne estimates that tens of millions of users may have been affected by it.
SentinelLabs’ findings were proactively reported to Avast as early as December 2021, after which the vulnerabilities were flagged as CVE-2022-26522 and CVE-2022-26523 (CVSS score: high severity). In the meantime, Avast has silently released security updates to address these vulnerabilities.
Most Avast and AVG users will receive the patch (version 22.1) automatically. However, those who use air-gapped or on-premises installations are advised to apply the patch as soon as possible manually.