This vulnerability (CVE-2025-7011) involves a heap out-of-bounds read in the scanning engine used by Gen Digital's antivirus products, including Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus. The issue occurs when scanning a malformed zip file containing XML data, potentially leading to local code execution or denial-of-service conditions. The affected component is delivered through a shared virus definition update stream, with affected versions identified by virus definition builds from 25020100 up to but not including 25021208. The vulnerability is present on Windows, macOS, and Linux platforms. The CVSS 3.1 base score is 7.8, indicating high severity with impact on confidentiality, integrity, and availability. No explicit vendor advisory or patch link is provided, and the remediation level is not stated, but the update stream build number indicates that updating virus definitions to build 25021208 or later mitigates the issue.

Successful exploitation may allow an attacker with local access to cause denial-of-service of the antivirus process or execute code locally with the privileges of the antivirus scanning engine. This impacts confidentiality, integrity, and availability of the affected systems. The vulnerability arises from improper bounds checking when processing malformed zip files containing XML during scanning.

Updating virus definitions to build 25021208 or later mitigates this vulnerability, as the scanning logic in these builds addresses the out-of-bounds read issue. Users should ensure their antivirus products receive and apply the latest virus definition updates from Gen Digital. No other specific mitigation or workaround is indicated. Patch status is not explicitly confirmed via vendor advisory, but the virus definition build number provides a clear remediation path.