CVE-2022-26523
published 2026-05-08CVE-2022-26523: The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in…
PriorityP181medium5.3CVSS 3.1
AVLACLPRLUINSUCLILAL
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.25%
16.2th percentile
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94.
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on bulk process termination of security tool processes (142 hardcoded names including McAfee, Symantec, Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, BlackBerry) following driver installation. ↗
- →CVE-2022-26523 can be triggered via image load callback in addition to socket connection — monitor for unexpected image load callbacks originating from non-privileged user processes interacting with aswArPot.sys. ↗
- →Block or alert on loading of vulnerable versions of aswArPot.sys (pre-22.1 / pre-Avast 21.5) using driver signature/hash blocklist rules; Microsoft's vulnerable driver blocklist policy covers this driver. ↗
- →AvosLocker and Cuba ransomware families are known to exploit CVE-2022-26522 and CVE-2022-26523 — correlate aswArPot.sys driver abuse with ransomware deployment activity from these families. ↗
- ·The vulnerability (CVE-2022-26523) was fixed in Avast/AVG version 22.1 (released beginning of 2022); the vulnerable feature was introduced as far back as Avast 12.1, meaning any version between 12.1 and 22.1 is affected. ↗
- ·Avast clarified the vulnerable driver was fixed in Avast 21.5 (June 2021) and that a Windows OS-level block was released for Windows 10 and 11 preventing the old driver version from loading into memory. ↗
- ·The vulnerability can be exploited from sandboxes and may be usable as a second-stage browser exploit or sandbox escape, not only for local privilege escalation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h488-x5g3-rjr5: The socket connection handler in aswArPot
ghsa_unreviewed·2026-05-08
CVE-2022-26523 [MEDIUM] CWE-400 GHSA-h488-x5g3-rjr5: The socket connection handler in aswArPot
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94.
VulnCheck
Avast Anti Rootkit kernel driver user controlled length
vulncheck·2022
CVE-2022-26523 Avast Anti Rootkit kernel driver user controlled length
Avast Anti Rootkit kernel driver user controlled length
Avast Anti Rootkit kernel driver user controlled length in aswArPot+0xbb94
Affected: Anti Rootkit Avast
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://securelist.com/crimeware-report-ransomware-tactics-vulnerable-drivers/108197/; https://securelist.com/new-ransomware-trends-in-2023/109660/; https://securelist.com/cuba-ransomware/110533/
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Hackers abuse Avast anti-rootkit driver to disable defenses
blogs_bleepingcomputer·2024-11-23
Hackers abuse Avast anti-rootkit driver to disable defenses
## Hackers abuse Avast anti-rootkit driver to disable defenses
## Bill Toulas
A new malicious campaign is using a legitimate but old and vulnerable Avast Anti-Rootkit driver to evade detection and take control of the target system by disabling security components.
The malware that drops the driver is a variant of an AV Killer of no particular family. It comes with a hardcoded list of 142 names for security processes from various vendors.
Since the driver can operate at kernel level, it provides access to critical parts of the operating system and allows the malware to terminate processes.
Security researchers at cybersecurity company Trellix recently discovered a new attack that leverages the bring-your-own-vulnerable-driver (BYOVD) approach with an old version of the anti-rootkit dri
Securelist
From Caribbean shores to your devices: analyzing Cuba ransomware
blogs_securelist·2023-09-11
From Caribbean shores to your devices: analyzing Cuba ransomware
Table of Contents
Introduction
Cuba ransomware gang
Victimology
Ransomware
Cuba extortion model
Arsenal
Profits
Investigation of a Cuba-related incident and analysis of the malware
Host: SRV_STORAGE
Bughatch
SRV_Service host
Veeamp
Avast Anti-Rootkit driver
Burntcigar
SRV_MAIL host (Exchange server)
SqlDbAdmin
Cobalt Strike
New malware
BYOVD (Bring Your Own Vulnerable Driver)
Conclusion
Appendix
Authors
Alexander Kirichenko
Gleb Ivanov
## Introduction
Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope th
Securelist
Analysis of Cuba ransomware gang activity and tooling
blogs_securelist·2023-09-11
Analysis of Cuba ransomware gang activity and tooling
Table of Contents
- Introduction
- Cuba ransomware gang
- Victimology
- Ransomware
- Cuba extortion model
- Arsenal
- Profits
- Investigation of a Cuba-related incident and analysis of the malware
- New malware
- BYOVD (Bring Your Own Vulnerable Driver)
- Conclusion
- Appendix
Authors
- Alexander Kirichenko
- Gleb Ivanov
## Introduction
Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.
## Cuba ransomware gang
Cuba data leak site
The group’s offe
Securelist
Overview of ransomware trends in 2023
blogs_securelist·2023-05-11
Overview of ransomware trends in 2023
Table of Contents
- Looking back on last year’s report
- What else shaped the ransomware landscape in 2022
- Ransomware from an incident response perspective
- Our predictions for 2023 trends
- Conclusion
Authors
- GReAT
Ransomware keeps making headlines. In a quest for profits, attackers target all types of organizations, from healthcare and educational institutions to service providers and industrial enterprises, affecting almost every aspect of our lives. In 2022, Kaspersky solutions detected over 74.2M attempted ransomware attacks which was 20% more than in 2021 (61.7M). Although early 2023 saw a slight decline in the number of ransomware attacks, they were more sophisticated and better targeted.
On the eve of the global Anti-Ransomware Day, Kaspersky looks back on the events tha
Securelist
New ransomware trends in 2023
blogs_securelist·2023-05-11
New ransomware trends in 2023
Table of Contents
Looking back on last year’s report
What else shaped the ransomware landscape in 2022
Ransomware from an incident response perspective
Our predictions for 2023 trends
Trend 1: More embedded functionality
Trend 2: Driver abuse
Trend 3: Code adoption from other families to attract even more affiliates
Conclusion
Authors
GReAT
Ransomware keeps making headlines . In a quest for profits, attackers target all types of organizations, from healthcare and educational institutions to service providers and industrial enterprises, affecting almost every aspect of our lives. In 2022, Kaspersky solutions detected over 74.2M attempted ransomware attacks which was 20% more than in 2021 (61.7M). Although early 2023 saw a slight decline in the number of ransomware attacks, they w
Securelist
Kaspersky crimeware report: ransomware propagation and driver abuse
blogs_securelist·2022-12-05
Kaspersky crimeware report: ransomware propagation and driver abuse
Table of Contents
- Introduction
- Some ransomware statistics
- LockBit
- Play
- Driver abuse
- Conclusion
Authors
- GReAT
- AMR
## Introduction
If one sheep leaps over the ditch, the rest will follow. This is an old saying, found in various languages, and it can be applied to ransomware developers. In previous blog posts, we highlighted an increase in the popularity of platform-independent languages and ESXi support, and recently, we wrote about ransomware borrowing these propagation methods.
Last month, we wrote in our crimeware reporting service about further ransomware variants that now had their own methods for copying and executing malware on other machines within the network. We also wrote about a case of abusing vulnerable drivers, something that might become popular in the
Securelist
Crimeware trends: self-propagation and driver exploitation
blogs_securelist·2022-12-05
Crimeware trends: self-propagation and driver exploitation
Table of Contents
Introduction
Some ransomware statistics
LockBit
Play
Driver abuse
Conclusion
Authors
GReAT
AMR
## Introduction
If one sheep leaps over the ditch, the rest will follow. This is an old saying, found in various languages, and it can be applied to ransomware developers. In previous blog posts, we highlighted an increase in the popularity of platform-independent languages and ESXi support , and recently , we wrote about ransomware borrowing these propagation methods.
Last month, we wrote in our crimeware reporting service about further ransomware variants that now had their own methods for copying and executing malware on other machines within the network. We also wrote about a case of abusing vulnerable drivers, something that might become popular in the future as
Sentinelone
Vulnerabilities in Avast And AVG Put Millions At Risk
blogs_sentinelone·2022-05-05
Vulnerabilities in Avast And AVG Put Millions At Risk
## Executive Summary
- SentinelLabs has discovered two high severity flaws in Avast and AVG (acquired by Avast in 2016) that went undiscovered for years affecting dozens of millions of users.
- These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded.
- SentinelLabs’ findings were proactively reported to Avast during December 2021 and the vulnerabilities are tracked as CVE-2022-26522 and CVE-2022-26523.
- Avast has silently released security updates to address these vulnerabilities.
- At this time, SentinelLabs has not discovered evidence of in-the-wild abuse.
## Introduction
Avast’s “Anti Rootkit” driver (also used by AVG) has been found t
Sentinelone
Vulnerabilities in Avast And AVG Put Millions At Risk
blogs_sentinelone·2022-05-05
Vulnerabilities in Avast And AVG Put Millions At Risk
## Vulnerabilities in Avast And AVG Put Millions At Risk
## Executive Summary
SentinelLabs has discovered two high severity flaws in Avast and AVG (acquired by Avast in 2016) that went undiscovered for years affecting dozens of millions of users.
These vulnerabilities allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded.
SentinelLabs’ findings were proactively reported to Avast during December 2021 and the vulnerabilities are tracked as CVE-2022-26522 and CVE-2022-26523.
Avast has silently released security updates to address these vulnerabilities.
At this time, SentinelLabs has not discovered evidence of in-the-wild abuse.
## Introduction
Avast’s “Anti
2026-05-08
Published
Exploited in the wild