Three vulnerabilities in Avira Internet Security, from an arbitrary file delete primitive to two distinct paths to SYSTEM privileges.
3 LPE vectors via symlink abuse (CVE-2026-27748, CVE-2026-27750) and unsafe deserialization (CVE-2026-27749).
Disclosure Timeline
Below we include a timeline of all the relevant events during the coordinated vulnerability disclosure process with the intent of providing transparency to the whole process and our actions.
- 2025-10-25: Quarkslab sent mail to cert@gendigital.com (parent company of Avira) asking for a contact to report vulnerabilities over email. Quarkslab wrote: "we are aware of your vulnerability reporting web page but would like to report via email because your web form requires us to agree to your bug bounty platform's terms and conditions, which includes clauses Quarkslab cannot accept".
- 2025-10-25: Quarkslab's opened a bug report on Gendigital's bug bounty platform (Bugcrowd) with the same text as in the email.
- 2025-10-28: Quarkslab's sent mail to security@avira.com asking for a contact to report vulnerabilities over email, explaning why it could not submit the report over the bug bounty platform.
- 2025-10-29: Gendigital replied over email stating that it is their policy to only accept vulnerabilities through their published bug bounty program and that any issue submitted to them outside of those established programs will not be acknowledged in any manner.
- 2025-10-30: Quarkslab replied quoting the exact clause from the Terms of the bug bounty program considered problematic and not acceptable: "ALL SUBMISSIONS ARE CONFIDENTIAL INFORMATION OF THE PROGRAM OWNER UNLESS OTHERWISE STATED IN THE BOUNTY BRIEF. This means no submissions may be publicly disclosed at any time unless the Program Owner has otherwise consented to disclosure". Quarkslab explained that we could not agree to give up the right to publish our research work on our own terms, and therefore we could not use their bug bounty program to report the vulns. However, if Gendigital gave us explicit written approval to publish our research, including all relevant technical details without any editorial interference, after 90 calendar days of the initial reporting date, we would gladly submit the report on the bug bounty platform. We hoped Gendigital would understand our position and agree to the proposed compromise solution.
- 2025-11-05: Gendigital replied that they are "committed to coordinated public disclosure of reported, valid security findings and in recognizing and awarding that work. Publishing reviewed and approved information once the issue is resolved with a timeline that allows customers appropriate time to update. Properly reported and resolved issues are also recognized with a Common Vulnerabilities and Exposures (CVE) reports, as well as monetary awards aligned with the severity of the report" and that they "believe these are fair and appropriate actions that recognize the efforts of security researchers while ensuring our customers are properly protected", and looked forward to reviewing and working with Quarkslab to resolve any reported issues.
- 2025-11-18: Quarkslab replied that Gendigigal had indicated that the only way to report vulnerabilities was via their bug bounty platform but we explained that the Terms of Service of their program were not acceptable. We clarified that we were not interested in monetary rewards and simply wanted to report the vulns so they could get fixed but could not do it if that also implied giving up the right to publish our work. Quarkslab explained that imposing that requirement is neither fair not appropriate. Our proposal was that the vendor explicitly accepted publication of any vulnerability report submitted on the bug bounty platform in 90 calendar days since the date of the initial report but unfortunately the response was just a generic statement about their commitment to coordinated vulnerability disclosure, not an actual response to what we proposed. Therefore Quarkslab wrote that it would refrain from submitting vulnerability reports via the bug bounty platform.
- 2025-12-02: Gendigital replied that if Quarkslab wanted to report vulnerabilities to please do and they'd be glad to work with us on disclosure of issues in due time, but that unfortunately they could not agree to any terms that tie a fix or report to an arbitrary timeline, and nor will they commit to publishing information theyāve not reviewed. The vendor stated "We also do not commit to publishing dates as we want to ensure adequate time for users to upgrade to fixed versions before we make any information or details public. Our first commitment is to our user's safety, and weāll continue to hold to that commitment. Weāre not trying to prevent publishing, and weāre not trying to hide information. Weāve worked with many researchers to publish responsibly under this program, and we hope you will join that list".
- 2025-12-03: Quarkslab agreed that Gendigital's decision was unfortunate indeed because we could not agree to terms of of a bug bounty program that required submission under NDA and they stated that they would only receive and service vulnerability reports if they are sent through their bug bounty. Thus we were in a deadlock. To break out of the deadlock Quarkslab sent the vulnerability report in PDF format over email and explicitly noted that it was not a submission to the bug bounty program and we did not agree to its terms. Quarkslab did not agree to any restrictions on the publication of the research work that originated the report or its results. We stated that following the industry's common practice, we had set the deadline for publication of the vulnerabilities in the report, and any other work derived from our own self-funded research that uncovered them, to March 3rd 2026, 90 calendar days from today, which was considered the date of initial report. Quarkslab also suggested that if the vendor's first commitment was to their user's safety they should consider removing from their program the requirement to submit vulnerability reports under NDA. Such a practice is frown upon by many vulnerability researchers and vulnerability research organizations, as explained by Kendra Albert in her "Everything Old Is New Again: Legal Restrictions on Vulnerability Disclosure on Bug Bounty Platforms" talk at the 34th Usenix Security Symposium in 2025. Quarkslab also noted that we've reported vulnerabilities to many vendors worldwide for over a decade and worked with them following Coordinated Vulnerability Disclosure practices ("Responsible Disclosure" is a term originally coined by Microsoft and deprecated in 2010 after they realized it was biased). Over that entire period Quarsklab very rarely encountered vendors that only serviced vulnerability reports if they were submitted via a program bound by an NDA agreement. We hope that the vendor reconsiders such practice.
- 2026-02-25: Requesting CVE at VulnCheck.
- 2026-02-25: CVE-2026-27748,CVE-2026-27749 and CVE-2026-27750 has been reserved by VulnCheck.
- 2026-03-03: This blog post is published.
Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV - Quarkslab's blog
Three vulnerabilities in Avira Internet Security, from an arbitrary file delete primitive to two distinct paths to SYSTEM privileges.blog.quarkslab.com
