cbcvebase.
CVE-2022-26522
published 2026-05-08

CVE-2022-26522: The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in…

PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.22%
12.1th percentile
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.

Detection & IOCsextracted from sources · hover to see the quote

filenameaswArPot.sys
filenamekill-floor.exe
filenamentfs.bin
otheraswArPot+0xc4a3
otheraswArPot+0xbb94
  • Detect the dropper binary kill-floor.exe and the dropped driver ntfs.bin (masquerading as an NTFS file) in the default Windows user folder as high-confidence indicators of this BYOVD attack chain.
  • Block or alert on loading of old/vulnerable versions of aswArPot.sys using driver signature/hash blocklist rules; Microsoft's vulnerable driver blocklist policy covers this driver.
  • The exploit for CVE-2022-26522 is triggered via a socket connection to the driver; monitor for unusual kernel-level socket connection handler activity in aswArPot.sys at offset 0xc4a3, particularly involving double-fetch of PPEB->ProcessParameters->CommandLine.Length.
  • Known threat actors exploiting CVE-2022-26522 include AvosLocker and Cuba ransomware families; detections for these families should include checks for vulnerable aswArPot.sys driver loading.
  • ·Avast confirmed the fix was in Avast 21.5 (June 2021) for the driver itself, and a Windows OS-level block (Windows 10 and 11) was also released preventing the old driver version from loading into memory.
  • ·The vulnerability can be triggered from sandboxes and may be exploitable beyond local privilege escalation, including as part of a second-stage browser attack or sandbox escape — detection scope should not be limited to local privilege escalation scenarios.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.