cbcvebase.
CVE-2016-2208
published 2016-05-19

CVE-2016-2208: The kernel component in Symantec Anti-Virus Engine (AVE) 20151.1 before 20151.1.1.4 allows remote attackers to execute arbitrary code or cause a denial of…

PriorityP265critical9.1CVSS 3.0
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
19.18%
97.0th percentile
The kernel component in Symantec Anti-Virus Engine (AVE) 20151.1 before 20151.1.1.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory access violation and system crash) via a malformed PE header file.

Affected

1 ranges
VendorProductVersion rangeFixed in
symantecanti-virus_engine<= 20151.1.0.32

Detection & IOCsextracted from sources · hover to see the quote

filenameNAVEX15.SYS
path\??\C:\Program Files\Norton Security\NortonData\22.6.0.142\Definitions\VirusDefs\20160506.004\NAVEX15.SYS
processNS.exe
processccSvcHost.exe
  • Trigger condition: malformed PE header where SizeOfRawData is greater than SizeOfImage in an ASPack-packed executable — causes heap/pool overflow during AV scan. Look for PE files with section raw size exceeding image size.
  • Exploit delivery requires no user interaction beyond receiving an email or visiting a URL — the Symantec filter driver intercepts all system I/O and scans the file automatically on download/receipt.
  • On Windows, monitor for PAGE_FAULT_IN_NONPAGED_AREA (BugCheck 0x50) kernel crashes originating from NS.exe or ccSvcHost.exe, particularly with a faulting instruction in nt!memcpy triggered by NAVEX15.SYS.
  • Crafted PE section table pattern to detect PoC: section named '.data' with RVA=fff8, VSZ=0, RAW_SZ=ffffffff — flag any PE with a section whose SizeOfRawData is 0xFFFFFFFF.
  • On Linux/Mac, monitor for unexpected heap corruption crashes (SIGSEGV/SIGABRT) in the Symantec or Norton scanning process running as root when processing PE/ASPack files.
  • ·The vulnerability exists in the kernel-loaded scan engine on Windows (NAVEX15.SYS loaded into ring0), meaning exploitation results in kernel pool corruption — standard user-mode mitigations (ASLR, DEP) do not apply.
  • ·File extension is irrelevant for triggering the vulnerability — the scan engine processes file content regardless of extension, so renaming the malicious PE (e.g., to .txt) does not prevent exploitation.
  • ·Affected version is Symantec Anti-Virus Engine (AVE) 20151.1 before 20151.1.1.4; the NAVEX15.SYS timestamp in the crash dump is Tue Oct 13 17:32:30 2015 (561DA29E), which can be used to identify unpatched installations.

CVSS provenance

nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.09.4CRITICALAV:N/AC:L/Au:N/C:N/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.