Skip to main content

Windows Ancillary Function Driver CVE-2026-42911

| EUVDEUVD-2026-35723 HIGH
Use After Free (CWE-416)
2026-06-09 secure@microsoft.com GHSA-cm32-vwv6-jwp3
7.0
CVSS 3.1 · NVD
Temporal: 6.1
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.1 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 18:36 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.0

DescriptionNVD

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to elevate to SYSTEM via a use-after-free condition. The flaw affects Microsoft Windows installations using the standard WinSock kernel driver and has a vendor-released patch available through Microsoft's security update guide. No public exploit has been identified at time of analysis, though afd.sys has historically been a frequent target for elevation-of-privilege exploitation.

Technical ContextAI

The Ancillary Function Driver for WinSock (afd.sys) is a kernel-mode driver that provides the underlying support for Windows Sockets (WinSock) API calls from user-mode applications, bridging socket operations into the TCP/IP stack. CWE-416 (Use After Free) indicates the driver references kernel memory after it has been freed, typically when concurrent IOCTL requests or asynchronous I/O operations manipulate object lifetimes incorrectly. Successful manipulation of the dangling pointer permits an attacker to corrupt kernel memory structures, ultimately hijacking execution flow within ring 0. This driver class has been repeatedly abused in past Windows LPE chains because it is reachable from any process with a socket handle.

RemediationAI

Apply the vendor-released patch from Microsoft via the standard Windows Update channel or the security update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42911; the exact KB and build numbers should be confirmed against the MSRC advisory for the specific Windows SKU in use. As compensating controls until patching is complete, enforce least-privilege user accounts to limit which local actors can reach afd.sys, deploy attack-surface-reduction rules and EDR detections targeting suspicious afd.sys IOCTL abuse or token-stealing patterns, and prioritize patching endpoints reachable by untrusted code (developer workstations, terminal servers, multi-user systems). These compensating measures reduce - but do not eliminate - exposure because any local code execution path can attempt the race, and additional reference: https://vuldb.com/vuln/369611.

Share

CVE-2026-42911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy