Severity by source
Sources disagree (Medium–Critical)AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free condition in the kernel-mode driver. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but AFD.sys has a long history of being targeted for kernel EoP, making this a likely candidate for future weaponization. CVSS 7.0 reflects the high attack complexity required to reliably win the underlying race or reuse condition.
Technical ContextAI
The Ancillary Function Driver for WinSock (afd.sys) is the kernel-mode component that backs the Windows Sockets (Winsock) user-mode API, brokering socket I/O between user processes and the TCP/IP stack. Because every process that opens a socket interacts with AFD via IOCTLs, the driver is reachable from any authenticated context including low-integrity sandboxes. CWE-416 (Use After Free) indicates that an object in kernel-pool memory is referenced after it has been freed - typically due to a race between concurrent IOCTL handlers or improper reference counting on socket-related kernel objects - allowing an attacker who can groom the pool to coerce the kernel into operating on attacker-controlled data and ultimately corrupt kernel memory.
RemediationAI
Apply the Microsoft monthly security update that addresses CVE-2026-34335 as documented in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34335; exact patched build numbers per Windows SKU should be taken directly from that advisory as none were included in the provided data. Where patching must be staged, reduce exposure by minimizing the set of users who can execute arbitrary code on the host - restrict interactive logon on servers, harden RDP/Citrix/VDI sessions with AppLocker or WDAC to block unsigned binaries, and enforce LSA protection and Credential Guard so a kernel EoP yields less post-exploitation value. Note that disabling AFD.sys is not a viable workaround because it would break Winsock and all networked applications, so compensating controls focus on preventing the attacker from running the trigger code rather than removing the vulnerable surface.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35658
GHSA-rw6m-h6rx-3c9p