CVE-2026-27749 PUBLISHED

Avira Internet Security System Speedup Insecure Deserialization

Assigner: VulnCheck
Reserved: 23.02.2026 Published: 05.03.2026 Updated: 05.03.2026

Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\ProgramData using .NET BinaryFormatter without implementing input validation or deserialization safeguards. Because the file can be created or modified by a local user in default configurations, an attacker can supply a crafted serialized payload that is deserialized by the privileged process, resulting in arbitrary code execution as SYSTEM.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Gen Digital Inc.
Product	Avira Internet Security
Versions	Default: unaffected affected from 0 to 1.1.109.1990 (incl.) Version 1.1.114.3113 is unaffected

CVE-2026-27749 PUBLISHED

Avira Internet Security System Speedup Insecure Deserialization

Metrics

Product Status

Credits

References

Problem Types