CVE-2026-27749
Severity CVSS v4.0:
HIGH
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
05/03/2026
Last modified:
05/03/2026
Description
Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET BinaryFormatter without implementing input validation or deserialization safeguards. Because the file can be created or modified by a local user in default configurations, an attacker can supply a crafted serialized payload that is deserialized by the privileged process, resulting in arbitrary code execution as SYSTEM.
Impact
Base Score 4.0
8.50
Severity 4.0
HIGH
Base Score 3.x
7.80
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://blog.quarkslab.com/avira-deserialize-delete-and-escalate-the-proper-way-to-use-an-av.html
- https://support.avira.com/hc/en-us/articles/360010656158-Current-Avira-versions
- https://www.avira.com/en/internet-security
- https://www.vulncheck.com/advisories/avira-internet-security-system-speedup-insecure-deserialization