CVE-2026-27749

Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET BinaryFormatter without implementing input validation or deserialization safeguards. Because the file can be created or modified by a local user in default configurations, an attacker can supply a crafted serialized payload that is deserialized by the privileged process, resulting in arbitrary code execution as SYSTEM.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.quarkslab.com/avira-deserialize-delete-and-escalate-the-proper-way-to-use-an-av.html	Third Party Advisory
https://support.avira.com/hc/en-us/articles/360010656158-Current-Avira-versions	Release Notes
https://www.avira.com/en/internet-security	Product
https://www.vulncheck.com/advisories/avira-internet-security-system-speedup-insecure-deserialization	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:avira:internet_security:*:*:*:*:*:windows:*:*

History

No history.

Information

Published : 2026-03-05 15:16

Updated : 2026-03-13 01:21

NVD link : CVE-2026-27749

Mitre link : CVE-2026-27749

CVE.ORG link : CVE-2026-27749

JSON object : View

Products Affected

avira

internet_security

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-27749", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T15:16:11.963", "references": [{"url": "https://blog.quarkslab.com/avira-deserialize-delete-and-escalate-the-proper-way-to-use-an-av.html", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://support.avira.com/hc/en-us/articles/360010656158-Current-Avira-versions", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.avira.com/en/internet-security", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/avira-internet-security-system-speedup-insecure-deserialization", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\\\ProgramData using .NET BinaryFormatter without implementing input validation or deserialization safeguards. Because the file can be created or modified by a local user in default configurations, an attacker can supply a crafted serialized payload that is deserialized by the privileged process, resulting in arbitrary code execution as SYSTEM."}, {"lang": "es", "value": "Avira Internet Security contiene una vulnerabilidad de deserializaci\u00f3n de datos no confiables en el componente System Speedup. El proceso Avira.SystemSpeedup.RealTimeOptimizer.exe, que se ejecuta con privilegios del SISTEMA, deserializa datos de un archivo ubicado en C:\\\\ProgramData utilizando .NET BinaryFormatter sin implementar validaciones de entrada ni medidas de seguridad para la deserializaci\u00f3n. Dado que el archivo puede ser creado o modificado por un usuario local en las configuraciones predeterminadas, un atacante puede proporcionar una carga \u00fatil serializada dise\u00f1ada que sea deserializada por el proceso con privilegios, lo que da lugar a la ejecuci\u00f3n de c\u00f3digo arbitrario como SYSTEM."}], "lastModified": "2026-03-13T01:21:04.073", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:avira:internet_security:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "DFB6EFB7-8777-4A9B-9A00-2FBEE12A7090", "versionEndExcluding": "1.1.114.3113"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}