HIGH 7.0

CVE-2026-34335: Windows AFD.sys Privilege Escalation Vulnerability

A use-after-free memory vulnerability exists in Windows Ancillary Function Driver for WinSock (AFD.sys), affecting Windows 10 and Windows 11 across multiple versions, as well as Windows Server 2012 through 2025. An authenticated local attacker can exploit this flaw to escalate their privileges to SYSTEM level. The vulnerability requires local access and specific conditions to trigger, but once exploited, grants complete control over the affected system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-34335 is a use-after-free vulnerability (CWE-416) in the Windows Ancillary Function Driver for WinSock. The flaw occurs when the AFD driver fails to properly manage memory references, allowing freed memory to be accessed and manipulated. An attacker with local user privileges and without requiring user interaction can craft specific socket operations to trigger the use-after-free condition, leading to arbitrary code execution in kernel context and privilege escalation to SYSTEM. The CVSS 3.1 score of 7.0 (HIGH) reflects the requirement for local access and higher complexity, but acknowledges the severe impact—complete confidentiality, integrity, and availability compromise.

Business impact

Successful exploitation enables lateral movement within enterprise networks and establishment of persistent backdoors. Compromised systems can be leveraged for data exfiltration, installation of malware, or launching attacks against other infrastructure. For organizations running Windows 10 or Windows Server environments at scale, this vulnerability creates significant risk if unpatched, as a single compromised user account can lead to full system compromise. Ransomware operators and advanced persistent threat groups typically prioritize privilege escalation vulnerabilities for precisely this reason.

Affected systems

The vulnerability affects a wide range of Windows client and server platforms: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2012, 2016, 2019, 2022, and 2025. Organizations should assume all in-support and many extended-support Windows platforms are in scope and require patching or mitigation.

Exploitability

Exploitation requires local access to the target system and valid user credentials. The attack surface is limited to authenticated users, which eliminates widespread remote exploitation risk. However, the complexity is rated as 'high' rather than 'high difficulty to impossible,' meaning the vulnerability is plausibly exploitable by a competent attacker with moderate effort once the technical details are understood. As of the publication date, this vulnerability is not tracked on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread in-the-wild exploitation has been reported, though this should not be relied upon for long-term risk management.

Remediation

Immediate action is required: obtain and deploy security patches from Microsoft for all affected Windows 10, Windows 11, and Windows Server versions. Verify patch status through Windows Update or your endpoint management system. For systems where immediate patching is infeasible, apply the principle of least privilege to limit local user access and monitor for suspicious process creation and privilege escalation events. Until patches are deployed, restrict local login access to trusted users only and disable unnecessary network services.

Patch guidance

Patches for this vulnerability should be available through Microsoft's regular security update cycle (Patch Tuesday). Administrators should consult the official Microsoft Security Update Guide and the KB articles associated with the June 2026 security releases for their specific Windows version. Test patches in a controlled environment before broad deployment, particularly for Windows Server systems supporting critical workloads. Prioritize patching based on asset criticality: Internet-facing systems and those handling sensitive data should be updated first.

Detection guidance

Monitor endpoint detection and response (EDR) solutions for indicators such as: unusual kernel-mode code execution originating from user-mode processes, unexpected privilege escalation attempts, and socket-related API calls followed by memory corruption signatures. Windows Event Viewer logs (Security and System event logs) may show evidence of privilege escalation attempts. Network-based detection is limited due to the local nature of the attack, but monitor for anomalous process behavior post-exploitation on compromised systems. Hunting for use-after-free style attacks typically requires kernel-level telemetry from advanced EDR platforms.

Why prioritize this

This vulnerability merits HIGH priority for patching because: (1) it enables privilege escalation—one of the most dangerous vulnerability classes; (2) it affects broadly deployed platforms (Windows 10 and 11 across enterprise and consumer environments); (3) the authenticated attack requirement, while limiting initial exploitation, is easily satisfied in typical network environments where users have legitimate local access; and (4) privilege escalation is a common stepping stone in data breaches and ransomware campaigns. Although not yet in active exploitation, the technical nature and widespread impact justify rapid remediation.

Risk score, explained

The CVSS 3.1 score of 7.0 (HIGH) reflects: Attack Vector: Local (AV:L)—not remotely exploitable, reducing baseline risk; Attack Complexity: High (AC:H)—specific conditions or engineering required, but plausible; Privileges Required: Low (PR:L)—standard user account sufficient; User Interaction: None (UI:N)—attacker does not need to trick the victim; and Scope: Unchanged (S:U) with full impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H). The score appropriately balances the local-only requirement against the severe kernel-level impact and the ability of a standard user to initiate the exploit.

Frequently asked questions

Does this vulnerability require administrator privileges to exploit?

No. The vulnerability requires only standard user (low privilege) access. An attacker with a regular domain user account or local user account can exploit it. This is more dangerous than vulnerabilities requiring admin rights, as compromising a standard user account (through phishing, credential stuffing, or lateral movement) provides a stepping stone to full system compromise.

Can this be exploited remotely?

No. The attack vector is local (AV:L), meaning the attacker must have local access to the target system and valid credentials. It cannot be exploited over the network directly. However, in scenarios where an attacker has already gained initial access to a network (e.g., through a web shell, exposed service, or phished credentials), they could use this vulnerability to escalate from that foothold.

Is this vulnerability currently being exploited in the wild?

As of the publication date (June 2026), this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed widespread exploitation. However, this does not guarantee safety indefinitely—exploit code could emerge, and threat actors often develop exploits ahead of public disclosure. Assume it will be targeted and patch accordingly.

What should I do if I cannot patch immediately?

Implement compensating controls: enforce strong access controls and limit who can log in locally to critical systems; monitor for suspicious privilege escalation activity using EDR tools; disable unnecessary network services to reduce lateral movement vectors; and segment your network to limit the impact if a system is compromised. However, these controls are not a substitute for patching—develop a patching timeline and expedite it.

This analysis is provided for informational purposes to support cybersecurity decision-making and is based on publicly available information as of the publication date. Readers are responsible for verifying all technical details, patch availability, and applicability to their specific environment against official Microsoft security advisories and the Microsoft Security Update Guide. SEC.co does not warrant the accuracy, completeness, or timeliness of this information. Organizations should conduct their own risk assessment, testing, and validation before deploying patches or implementing mitigations. Patch version numbers, KB article references, and exact availability dates should be confirmed directly with Microsoft before taking action. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).