cbcvebase.
CVE-2022-26523
published 2026-05-08

CVE-2022-26523: The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in…

PriorityP181medium5.3CVSS 3.1
AVLACLPRLUINSUCLILAL
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.25%
16.2th percentile
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94.

Detection & IOCsextracted from sources · hover to see the quote

filenamekill-floor.exe
filenamentfs.bin
  • Alert on bulk process termination of security tool processes (142 hardcoded names including McAfee, Symantec, Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, BlackBerry) following driver installation.
  • CVE-2022-26523 can be triggered via image load callback in addition to socket connection — monitor for unexpected image load callbacks originating from non-privileged user processes interacting with aswArPot.sys.
  • Block or alert on loading of vulnerable versions of aswArPot.sys (pre-22.1 / pre-Avast 21.5) using driver signature/hash blocklist rules; Microsoft's vulnerable driver blocklist policy covers this driver.
  • AvosLocker and Cuba ransomware families are known to exploit CVE-2022-26522 and CVE-2022-26523 — correlate aswArPot.sys driver abuse with ransomware deployment activity from these families.
  • ·The vulnerability (CVE-2022-26523) was fixed in Avast/AVG version 22.1 (released beginning of 2022); the vulnerable feature was introduced as far back as Avast 12.1, meaning any version between 12.1 and 22.1 is affected.
  • ·Avast clarified the vulnerable driver was fixed in Avast 21.5 (June 2021) and that a Windows OS-level block was released for Windows 10 and 11 preventing the old driver version from loading into memory.
  • ·The vulnerability can be exploited from sandboxes and may be usable as a second-stage browser exploit or sandbox escape, not only for local privilege escalation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.