Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to elevate to SYSTEM by winning a race condition that triggers a use-after-free. The flaw is reported by Microsoft (MSRC) and carries CVSS 7.0 with high attack complexity, but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
The Ancillary Function Driver for WinSock (afd.sys) is a kernel-mode driver that provides the user-mode Winsock API (ws2_32.dll) with access to kernel networking primitives, making it a long-standing surface for local kernel exploitation. The root cause is CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization, i.e., a race condition) that produces a use-after-free: two concurrent code paths operate on the same kernel object without adequate locking, allowing one thread to free the object while another still references it. Tags 'Race Condition' and 'Denial Of Service' corroborate the concurrency root cause, and successful UAF in afd.sys historically yields arbitrary kernel read/write and SYSTEM token replacement.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45603 as soon as it is published for your Windows edition (patch available per vendor advisory; specific fixed build numbers must be taken from MSRC). Because exploitation requires local authenticated code execution, compensating controls until patching include restricting interactive and remote-desktop logon rights to trusted users, enforcing application allowlisting (WDAC/AppLocker) to prevent unsigned tooling from running, and enabling EDR detections for known afd.sys exploitation patterns (suspicious IOCTL sequences to \Device\Afd, token theft from System process); these controls reduce attacker dwell but do not block a determined insider and may break legitimate admin tooling.
More in Windows 10 1607
View allWindows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users
Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the
Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne
Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables
Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se
Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack
Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a nu
Same weakness CWE-362 – Race Condition
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35565
GHSA-v9vm-9353-cg37