Avira antivirus allows code smuggling
Three high-risk security vulnerabilities in Avira antimalware software allow attackers to execute code with system privileges, among other things.
(Image: heise medien)
IT researchers have discovered security vulnerabilities in Avira's antimalware software that could allow attackers to compromise vulnerable systems. In some cases, they only need to place files in specific locations accessible to users in the file system, which leads to the execution of arbitrary code with system privileges.
Specifically, the Quarkslab analysts demonstrate the vulnerabilities using the free “Avira Free Security” software, but Avira Internet Security and other software using the affected components are also vulnerable. In all cases, attackers rely on a technique that enables code execution by deleting specific files through the attacked software. Trend Micro's Zero-Day Initiative (ZDI) provides a comprehensive explanation of the abuse possibilities.
Avira: Three High-Risk Security Vulnerabilities
The software's updater component lacks a check to see if a file in “C:\ProgramData” is a symbolic link. Attackers can create a malicious link to delete arbitrary files in the system -- due to deletion by the service with “SYSTEM” rights. This allows for privilege escalation and complete system compromise (CVE-2026-27748, CVSS4 8.5, Risk “high”). The System Speedup component, on the other hand, deserializes data from a file in the aforementioned folder without any checks or security measures. By default, local users can create or modify this file. Attackers can exploit this directly locally or, for example, via social engineering over the network against unsuspecting victims to execute arbitrary code with “SYSTEM” privileges (CVE-2026-27749, CVSS4 8.5, Risk “high”).
The third security vulnerability affects the Optimizer component and is time-based: a file is checked but can still be modified before use (time-of-check time-of-use, TOCTOU). First, the privileged service scans which folders can be deleted for system cleanup and then deletes them in a second pass. Attackers can replace an already scanned directory with a junction or a so-called reparse point (in German “Analysepunkt”) and thus trick the service into deleting arbitrary files or folders with the highest privileges, with the known consequences (CVE-2026-27750, CVSS4 8.5, Risk “high”).
Videos by heise
The vulnerabilities impact Avira versions up to and including 1.1.109.1990. Version 1.1.114.3113, which apparently became available in early February 2026, is said to fix the security holes. Anyone using Avira should therefore quickly ensure that the software is actually up to date. As early as May last year, TuneUp and other services in Avira, as well as in AVG and Norton products, opened up security vulnerabilities in Windows systems.
(dmk)
