Skip to content
K>Kaluche
  • Research
  • CVEs
  • Search
  • About
discoveredarbitrary code execution as SYSTEMLPE

CVE-2026-27749

Avira System Speedup insecure deserialization

Avira.SystemSpeedup.RealTimeOptimizer.exe deserialized a user-creatable ProgramData file with BinaryFormatter while running as SYSTEM, allowing local code execution as SYSTEM. Avira 1.1.109.1990 and below were affected; 1.1.114.3113 contains the fix.

Vendor
Gen Digital / Avira
Product
Avira Internet Security
Component
System Speedup / RealTimeOptimizer
Disclosure
Mar 03, 2026
Bug class
insecure deserialization, BinaryFormatter, unsafe file permissions
Severity
High (CVSS 3.1: 7.8)
writeupadvisory

© 2026 Kaluche · CC BY-NC 4.0

GitHubTwitterRSS