Skip to main content

Windows AFD.sys CVE-2026-45596

| EUVDEUVD-2026-35560 HIGH
Race Condition (CWE-362)
2026-06-09 secure@microsoft.com GHSA-32m9-jm89-hm8p
7.0
CVSS 3.1 · NVD
Temporal: 6.1
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.1 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 18:13 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.0

DescriptionNVD

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated local user to gain SYSTEM-level rights by winning a race condition that leads to a use-after-free in kernel memory. The flaw affects Windows installations where afd.sys is loaded (effectively all desktop and server SKUs) and was reported by Microsoft Security Response Center; no public exploit identified at time of analysis and the vulnerability is not listed on the CISA KEV catalog.

Technical ContextAI

The Ancillary Function Driver (afd.sys) is the kernel-mode driver that backs the Winsock user-mode API, handling socket I/O requests issued via DeviceIoControl. CWE-362 (race condition) combined with the description of a use-after-free indicates that two concurrent threads can manipulate a shared socket-related kernel object such that one path frees the object while another retains and dereferences a stale pointer, yielding a controllable write or call primitive in kernel context. AFD.sys has been a recurring LPE target on Windows (e.g., CVE-2023-21768, CVE-2024-38193), and exploitation typically pivots through I/O ring or pipe-attribute primitives to overwrite a process token and obtain SYSTEM. No CPE strings were provided in the input, so exact affected Windows build numbers must be confirmed from the Microsoft advisory.

RemediationAI

Apply the Microsoft monthly security update that addresses CVE-2026-45596 to all Windows endpoints and servers; the exact KB article and patched afd.sys file version should be retrieved from the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45596, as no specific fixed version was supplied in the input data. No vendor-released patched build was independently confirmed in the provided intelligence beyond the MSRC reference. Compensating controls until patching is complete: restrict local logon and interactive sessions to trusted users (this bug requires PR:L), constrain or block execution of unsigned binaries via WDAC/AppLocker to reduce the pool of attackers who can deliver a race-condition exploit, enable HVCI/VBS so that kernel exploitation primitives become harder to realize, and monitor EDR for anomalous afd.sys-related crashes or token-swap behavior - note that VBS/HVCI can introduce measurable performance overhead on older silicon, and AppLocker policies must be tested against business apps.

Share

CVE-2026-45596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy