Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to elevate to SYSTEM via a use-after-free condition. The flaw affects Microsoft Windows installations using the standard WinSock kernel driver and has a vendor-released patch available through Microsoft's security update guide. No public exploit has been identified at time of analysis, though afd.sys has historically been a frequent target for elevation-of-privilege exploitation.
Technical ContextAI
The Ancillary Function Driver for WinSock (afd.sys) is a kernel-mode driver that provides the underlying support for Windows Sockets (WinSock) API calls from user-mode applications, bridging socket operations into the TCP/IP stack. CWE-416 (Use After Free) indicates the driver references kernel memory after it has been freed, typically when concurrent IOCTL requests or asynchronous I/O operations manipulate object lifetimes incorrectly. Successful manipulation of the dangling pointer permits an attacker to corrupt kernel memory structures, ultimately hijacking execution flow within ring 0. This driver class has been repeatedly abused in past Windows LPE chains because it is reachable from any process with a socket handle.
RemediationAI
Apply the vendor-released patch from Microsoft via the standard Windows Update channel or the security update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42911; the exact KB and build numbers should be confirmed against the MSRC advisory for the specific Windows SKU in use. As compensating controls until patching is complete, enforce least-privilege user accounts to limit which local actors can reach afd.sys, deploy attack-surface-reduction rules and EDR detections targeting suspicious afd.sys IOCTL abuse or token-stealing patterns, and prioritize patching endpoints reachable by untrusted code (developer workstations, terminal servers, multi-user systems). These compensating measures reduce - but do not eliminate - exposure because any local code execution path can attempt the race, and additional reference: https://vuldb.com/vuln/369611.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35723
GHSA-cm32-vwv6-jwp3