Skip to main content

Windows AFD.sys EUVDEUVD-2026-35658

| CVE-2026-34335 HIGH
Use After Free (CWE-416)
2026-06-09 secure@microsoft.com GHSA-rw6m-h6rx-3c9p
High
Disputed · 7.0 NVD
Temporal: 6.1
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
CRITICAL
qualitative
CIRCL (temporal)
6.1 MEDIUM
cvss

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:32 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.0

DescriptionNVD

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free condition in the kernel-mode driver. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but AFD.sys has a long history of being targeted for kernel EoP, making this a likely candidate for future weaponization. CVSS 7.0 reflects the high attack complexity required to reliably win the underlying race or reuse condition.

Technical ContextAI

The Ancillary Function Driver for WinSock (afd.sys) is the kernel-mode component that backs the Windows Sockets (Winsock) user-mode API, brokering socket I/O between user processes and the TCP/IP stack. Because every process that opens a socket interacts with AFD via IOCTLs, the driver is reachable from any authenticated context including low-integrity sandboxes. CWE-416 (Use After Free) indicates that an object in kernel-pool memory is referenced after it has been freed - typically due to a race between concurrent IOCTL handlers or improper reference counting on socket-related kernel objects - allowing an attacker who can groom the pool to coerce the kernel into operating on attacker-controlled data and ultimately corrupt kernel memory.

RemediationAI

Apply the Microsoft monthly security update that addresses CVE-2026-34335 as documented in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34335; exact patched build numbers per Windows SKU should be taken directly from that advisory as none were included in the provided data. Where patching must be staged, reduce exposure by minimizing the set of users who can execute arbitrary code on the host - restrict interactive logon on servers, harden RDP/Citrix/VDI sessions with AppLocker or WDAC to block unsigned binaries, and enforce LSA protection and Credential Guard so a kernel EoP yields less post-exploitation value. Note that disabling AFD.sys is not a viable workaround because it would break Winsock and all networked applications, so compensating controls focus on preventing the attacker from running the trigger code rather than removing the vulnerable surface.

Share

EUVD-2026-35658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy