Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
AnalysisAI
Race condition in Windows Ancillary Function Driver for WinSock (AFD.sys) enables local privilege escalation for low-privileged authenticated users across Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2016. Microsoft confirmed the vulnerability and released patches via their March 2026 security updates. The flaw requires high attack complexity (CVSS AC:H), suggesting exploitation depends on winning a narrow timing window in concurrent socket operations. EPSS data unavailable, no CISA KEV listing at time of analysis, but Microsoft's rapid patch indicates credible exploit risk.
Technical ContextAI
The Windows Ancillary Function Driver (AFD.sys) provides kernel-mode support for WinSock operations including asynchronous I/O, connection management, and socket state transitions. This CWE-362 race condition occurs when multiple threads concurrently access shared resources within AFD without proper synchronization primitives (mutexes, semaphores, or interlocked operations). The vulnerability likely exists in critical sections handling socket descriptor allocation, buffer management, or security context validation. When thread scheduling allows attacker-controlled operations to execute between check-and-use sequences, inconsistent kernel state can be exploited to corrupt object pointers, bypass security checks, or elevate the calling thread's token privileges. AFD operates at IRQL PASSIVE_LEVEL to APC_LEVEL, where race windows are exploitable through carefully timed system calls like WSARecv, WSASend, or socket option manipulations.
RemediationAI
Apply Microsoft's March 2026 security updates via Windows Update, WSUS, or SCCM according to your patch management cycle. Consult the vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34345 for specific KB numbers corresponding to each Windows version (e.g., Windows 11 24H2 requires KB50xxxxx). Prioritize patching for servers with multiple concurrent users, Hyper-V hosts, and systems accessible to lower-trust users. If immediate patching is infeasible, implement compensating controls: restrict local logon rights to trusted administrators only via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), enable Credential Guard on Windows 10/11 Enterprise to protect elevated tokens even if exploitation succeeds (note: requires UEFI, Secure Boot, and compatible hardware), and monitor for abnormal AFD.sys activity using Sysmon EventID 10 (ProcessAccess) targeting lsass.exe from unexpected processes. These mitigations reduce attack surface but do not eliminate the race condition - patching remains the definitive solution.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29604
GHSA-j2x4-j6jv-hpjv