Security researchers have discovered a heap overflow flaw in Kaspersky antivirus engine which allows arbitrary code execution.
The flaw tracked as CVE-2019-8285 was discovered by security researchers at Imaginary team.
According to the security advisory, the flaw is because it fails to perform adequate boundary checks on user-supplied data.
“Attackers can exploit this issue to execute arbitrary code within the context of the application. Given the nature of this issue, attackers may also be able to cause a denial-of-service condition, but this has not been confirmed.” said in the advisory
The flaw could allow third parties to remotely execute arbitrary code on the victims PC with system privileges.
“This issue was classified as heap-based buffer overflow vulnerability. Memory corruption during JS file scan could lead to execution of arbitrary code on a user machine.” said in the security advisory published Kaspersky labs.
The vulnerability received a CVSSv3 Score of 8.0 and all Kaspersky products with antivirus databases are affected by the flaw.
Kaspersky patched the flaw through a product update on 4th April 2019.
You may be interested in reading: New Emotet Trojan Variant Uses Compromised Devices as Proxy C&C Servers