Skip to main content

Windows Ancillary Function Driver CVE-2026-34345

| EUVDEUVD-2026-29604 HIGH
Race Condition (CWE-362)
2026-05-12 microsoft GHSA-j2x4-j6jv-hpjv
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:34 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
HIGH 7.0

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

AnalysisAI

Race condition in Windows Ancillary Function Driver for WinSock (AFD.sys) enables local privilege escalation for low-privileged authenticated users across Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2016. Microsoft confirmed the vulnerability and released patches via their March 2026 security updates. The flaw requires high attack complexity (CVSS AC:H), suggesting exploitation depends on winning a narrow timing window in concurrent socket operations. EPSS data unavailable, no CISA KEV listing at time of analysis, but Microsoft's rapid patch indicates credible exploit risk.

Technical ContextAI

The Windows Ancillary Function Driver (AFD.sys) provides kernel-mode support for WinSock operations including asynchronous I/O, connection management, and socket state transitions. This CWE-362 race condition occurs when multiple threads concurrently access shared resources within AFD without proper synchronization primitives (mutexes, semaphores, or interlocked operations). The vulnerability likely exists in critical sections handling socket descriptor allocation, buffer management, or security context validation. When thread scheduling allows attacker-controlled operations to execute between check-and-use sequences, inconsistent kernel state can be exploited to corrupt object pointers, bypass security checks, or elevate the calling thread's token privileges. AFD operates at IRQL PASSIVE_LEVEL to APC_LEVEL, where race windows are exploitable through carefully timed system calls like WSARecv, WSASend, or socket option manipulations.

RemediationAI

Apply Microsoft's March 2026 security updates via Windows Update, WSUS, or SCCM according to your patch management cycle. Consult the vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34345 for specific KB numbers corresponding to each Windows version (e.g., Windows 11 24H2 requires KB50xxxxx). Prioritize patching for servers with multiple concurrent users, Hyper-V hosts, and systems accessible to lower-trust users. If immediate patching is infeasible, implement compensating controls: restrict local logon rights to trusted administrators only via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), enable Credential Guard on Windows 10/11 Enterprise to protect elevated tokens even if exploitation succeeds (note: requires UEFI, Secure Boot, and compatible hardware), and monitor for abnormal AFD.sys activity using Sysmon EventID 10 (ProcessAccess) targeting lsass.exe from unexpected processes. These mitigations reduce attack surface but do not eliminate the race condition - patching remains the definitive solution.

Share

CVE-2026-34345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy