Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Articles & Coverage 1
AnalysisAI
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows low-privileged authenticated users to execute arbitrary code with SYSTEM privileges via use-after-free memory corruption. Microsoft has released patches addressing Windows 10 (versions 1607 through 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2012. CVSS base score is 7.0 (High) with local attack vector and high attack complexity. EPSS data not available; no CISA KEV listing at time of analysis, suggesting exploitation has not been observed in the wild despite public disclosure.
Technical ContextAI
The Windows Ancillary Function Driver (AFD.sys) is a kernel-mode driver that provides support for Windows Sockets (WinSock) applications, handling low-level socket operations including connection establishment, data transmission, and resource management. The vulnerability stems from a use-after-free condition (CWE-416), a memory corruption class where the driver continues to reference memory after it has been deallocated. This timing-dependent flaw allows manipulation of freed memory contents before reuse, enabling an attacker to corrupt kernel data structures. AFD.sys operates at ring 0 with SYSTEM privileges, making successful exploitation particularly severe as it bridges user-mode socket operations with kernel-mode networking stack. The affected CPE strings indicate widespread impact across Windows 10 (build 1607 from 2016 through current 22H2), all Windows 11 releases including the latest 26H1 preview builds, and the legacy Windows Server 2012 platform, suggesting this is a longstanding architectural issue in the WinSock kernel implementation rather than a recent regression.
RemediationAI
Apply the vendor-released patches immediately through Windows Update or Microsoft Update Catalog as documented in Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35416. Organizations should prioritize patching for systems where local user access is granted to untrusted or semi-trusted users, including terminal servers, jump boxes, development environments, and contractor-accessible workstations. For systems that cannot be immediately patched, implement compensating controls including restricting local logon rights to only essential administrative accounts via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on locally), enabling and monitoring Windows Defender Exploit Guard's Arbitrary Code Guard feature, and deploying enhanced logging for AFD.sys driver activity through Sysmon Event ID 6 (driver loaded) and Event ID 3 (network connections). Note that disabling AFD.sys is not feasible as it would break all WinSock networking functionality. Monitor for unusual privilege escalation attempts via Security Event IDs 4672 (special privileges assigned to new logon) and 4673 (privileged service called) from low-privilege user contexts.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29623
GHSA-cc8v-q6gq-pf87