Introduction
A single malformed file can disable or compromise the very antivirus engine meant to protect macOS systems. Security teams relying on Avast Antivirus for macOS in versions 8.3.70.94 up to but not including 8.3.70.98 face a critical risk: CVE-2025-8351, a heap-based buffer overflow and out-of-bounds read vulnerability, allows local attackers to execute code or crash the antivirus process during file scanning.
About Avast and Gen Digital: Avast is a core brand within Gen Digital, a global cybersecurity conglomerate serving over 500 million users across more than 150 countries. Avast's antivirus products are widely deployed in both consumer and enterprise environments, making vulnerabilities in their software highly impactful across the industry.
Technical Information
CVE-2025-8351 is the result of improper memory management in the Avast Antivirus scanning engine for macOS. When the engine scans a specially crafted malformed file, it allocates a buffer on the heap to process file data. The vulnerability occurs because the engine does not sufficiently validate the length of the incoming data before writing it into the buffer. This leads to two distinct issues:
-
Heap-based buffer overflow (CWE-122): Data written beyond the allocated buffer boundary can corrupt adjacent memory, potentially overwriting critical structures or function pointers. This can allow an attacker to execute arbitrary code within the context of the antivirus process or cause the process to crash.
-
Out-of-bounds read (CWE-125): The engine may also read data outside the intended buffer, which can result in information disclosure or further destabilize the process.
The attack vector is local: an attacker must deliver a malformed file to the target system. When Avast scans this file (during real-time, on-demand, or scheduled scans), the vulnerability is triggered. No public code snippets or proof of concept details are available as of this writing.
Affected Systems and Versions
- Product: Avast Antivirus for macOS
- Affected versions: 8.3.70.94 up to but not including 8.3.70.98
- Vulnerable component: Core scanning engine (file parsing during scan operations)
- All macOS configurations running affected versions are vulnerable
Vendor Security History
Avast, now part of Gen Digital, has previously addressed several security issues in its antivirus products. Notable examples include:
- CVE-2017-8308: Privilege escalation in Avast Antivirus
- CVE-2024-9484: Null-pointer dereference in Avast/AVG for macOS
- CVE-2024-9481: Other memory safety issues in Avast/AVG
The vendor maintains a public security advisory process and has a track record of releasing patches for critical issues. Their business solutions provide centralized patch management, which is essential for rapid deployment in enterprise environments.
