CVE-2009-2966 in Internet Security
Summary
by MITRE
avp.exe in Kaspersky Internet Security 9.0.0.459 and Anti-Virus 9.0.0.463 allows remote attackers to cause a denial of service (CPU consumption and network connectivity loss) via an HTTP URL request that contains a large number of dot "." characters.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2009-2966 affects Kaspersky Internet Security 9.0.0.459 and Anti-Virus 9.0.0.463 through the avp.exe component, which serves as the core antivirus engine responsible for real-time protection and threat detection. This flaw represents a classic resource exhaustion attack that targets the application's handling of HTTP URL requests, specifically exploiting how the system processes malformed input containing excessive dot characters. The vulnerability operates at the application layer and demonstrates poor input validation practices within the antivirus software's web filtering capabilities.
The technical mechanism behind this vulnerability involves the avp.exe process failing to properly sanitize or limit the number of dot characters in HTTP URL requests before processing them through the antivirus engine's content inspection routines. When an attacker crafts a malicious URL containing an excessive number of consecutive dot characters, the antivirus software's parser becomes overwhelmed as it attempts to process these malformed inputs. This leads to excessive CPU utilization as the system iterates through the malformed URL structure and attempts to perform pattern matching, string manipulation, and security scanning operations on the malformed input. The processing overhead eventually consumes all available CPU resources, causing the system to become unresponsive.
The operational impact of this vulnerability extends beyond simple denial of service, as it creates a cascading effect on system performance and network connectivity. The sustained high CPU consumption prevents the antivirus software from performing its legitimate security functions while simultaneously consuming network resources required for normal system operations. Network connectivity loss occurs because the system becomes so overloaded that it cannot properly handle incoming network traffic, effectively creating a man-in-the-middle scenario where legitimate network requests are either dropped or severely delayed. This vulnerability directly maps to CWE-400, which describes "Uncontrolled Resource Consumption" in software systems, and can be categorized under the ATT&CK technique T1499.004 for "Utilities: System Shutdown/Reboot" when considering the system-wide impact of resource exhaustion.
The exploitation of this vulnerability demonstrates a critical flaw in the antivirus software's defensive design, where the security solution becomes a vector for system compromise rather than a protective mechanism. Attackers can leverage this weakness to disrupt services without requiring elevated privileges or complex exploitation techniques, making it particularly dangerous in enterprise environments where antivirus software typically runs with elevated system permissions. The vulnerability's impact is amplified in networked environments where multiple systems may be simultaneously affected, potentially creating widespread service disruption across an organization's infrastructure.
Mitigation strategies for this vulnerability include immediate deployment of Kaspersky's official patches and updates that address the input validation flaw in the avp.exe component. System administrators should implement network-level rate limiting and URL filtering mechanisms to prevent excessive dot character sequences from reaching the antivirus engine. Additionally, organizations should consider implementing monitoring solutions that can detect unusual CPU consumption patterns and network connectivity issues that may indicate exploitation attempts. The vulnerability highlights the importance of proper input validation and resource management in security software, as these applications must be resilient against malicious input that could otherwise overwhelm their defensive capabilities. Regular security assessments and penetration testing should be conducted to identify similar resource exhaustion vulnerabilities in other security solutions that may be similarly affected by malformed input processing.