CVE-2026-45596: Windows AFD Use-After-Free Privilege Escalation Vulnerability
A use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock (AFD) allows an authenticated attacker to elevate their privileges on a local system. The vulnerability requires the attacker to already have user-level access and involves a race condition during memory management. Successfully exploiting it grants the attacker full system-level control.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-362, CWE-416
- Affected products
- 24 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45596 is a use-after-free flaw (CWE-416) combined with a race condition (CWE-362) in the Ancillary Function Driver for WinSock (AFD.sys). The driver manages low-level network socket operations in Windows. The vulnerability arises when the driver frees memory that is still referenced elsewhere, and a race condition allows an attacker to trigger operations on that freed memory. With local code execution as an authenticated user, an attacker can craft specific AFD API calls to induce this state and gain kernel-level privileges. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects local attack surface, high complexity, low privilege requirement, and complete system compromise potential.
Business impact
Successful exploitation enables privilege escalation from user to system level, giving attackers unrestricted control over affected machines. In enterprise environments, this allows lateral movement within networks, installation of persistent malware, exfiltration of sensitive data, and disruption of critical services. Organizations relying on user-level account isolation or unprivileged service accounts face heightened risk if those accounts are compromised through phishing, supply-chain attack, or software vulnerability. The impact spans confidentiality, integrity, and availability.
Affected systems
All supported Windows 10 versions are affected (builds 1607, 1809, 21H2, 22H2). Windows 11 is vulnerable across all recent builds (23H2, 24H2, 25H2, 26H1). Windows Server editions 2012, 2016, 2019, 2022, and 2025 are all in scope. Older unsupported Windows versions may also be affected but are not listed in available advisories. Both consumer and server deployments require attention.
Exploitability
Exploitation requires authenticated local access—an attacker cannot exploit this remotely without first gaining user-level code execution on the target. The high complexity (AC:H) reflects the race condition requirement, making reliable exploitation non-trivial. However, once achieved, the payoff is immediate privilege escalation. No public weaponized exploit has been confirmed, and this vulnerability is not yet tracked by CISA's Known Exploited Vulnerabilities catalog, but organizations should assume the attack technique will be documented post-disclosure. Malware and targeted attack groups are likely to incorporate this into their toolkits quickly.
Remediation
Microsoft has released security updates addressing this vulnerability across all affected Windows versions. Patches should be applied through Windows Update or manual download from the Microsoft Security Update Guide. For managed enterprise environments, deployment should be prioritized for systems facing external attack surfaces or running sensitive workloads. Verify patch installation by confirming AFD.sys file version against the vendor advisory. Until patching is complete, mitigate risk by restricting user-level code execution through application whitelisting, disabling unnecessary network services, and enforcing strong credential policies.
Patch guidance
Obtain the latest security updates from Microsoft's official patch channels for your specific Windows version and build. Patches for this vulnerability are cumulative; installing the latest monthly or out-of-band update resolves CVE-2026-45596. For Windows Server environments, coordinate patching with maintenance windows to minimize downtime. Test patches in a non-production environment before broad deployment. Organizations using Windows 10 builds 1607 or 1809 (out of mainstream support) should verify extended support agreements and patch availability with Microsoft before committing to extended timelines. Prioritize systems with high user turnover or elevated privilege accounts.
Detection guidance
Monitor for unusual AFD.sys activity, kernel-mode crashes, or privilege escalation attempts originating from user-mode processes. Deploy endpoint detection and response (EDR) solutions configured to flag suspicious system calls targeting the AFD driver or unexpected transition from user to kernel context. Check for abnormal memory allocation and deallocation patterns associated with socket operations. Log failed and successful privilege escalation attempts via Windows Event Viewer (Security logs, Event ID 4674 for privileged operations). Correlate process execution with administrative token assignments to identify lateral movement post-exploitation. Behavioral analytics may identify the characteristic race condition window as multiple rapid AFD API invocations followed by kernel exception handling.
Why prioritize this
HIGH severity combined with widespread product reach across Windows 10, 11, and Server editions warrants immediate prioritization. The privilege escalation nature means a low-privilege compromised account becomes a full system compromise. The race condition complexity should not be misinterpreted as low exploitability; sophisticated threat actors routinely overcome such technical hurdles. Early patching prevents adversaries from weaponizing this in supply-chain or targeted attack scenarios. Organizations should treat this as critical for systems with elevated user populations or sensitive workloads.
Risk score, explained
The CVSS 3.1 score of 7.0 (HIGH) reflects the confluence of complete confidentiality, integrity, and availability impact (C:H/I:H/A:H) against the constraint of requiring authenticated local access (AV:L/PR:L). The high complexity (AC:H) acknowledges the race condition but does not diminish the severity of successful exploitation. No user interaction is required, reducing friction for malware or lateral movement. The lack of scope change (S:U) means the attacker gains privileges only on the affected system itself, not across security boundaries—but that is sufficient for full system compromise.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires authenticated local code execution on the target system. An attacker must first compromise a user account or service on the machine itself, then use this flaw to escalate to system level. Remote exploitation is not possible via this CVE alone.
Do unpatched older Windows versions like Windows 7 or Windows Server 2008 require updates?
Vendors_products data provided does not list Windows 7 or Server 2008, indicating Microsoft has not released patches for those versions. Organizations still running unsupported Windows should prioritize migration. If still necessary, isolation and compensating controls (EDR, network segmentation) are essential.
What should I do if I cannot patch immediately?
Implement compensating controls: restrict local administrative access, enforce application whitelisting to prevent unauthorized code execution, deploy EDR to detect privilege escalation attempts, and monitor for AFD driver anomalies. Isolate high-value systems from low-trust network segments. These do not eliminate risk but buy time for patching operations.
Is CISA tracking this vulnerability as exploited in the wild?
As of the data provided, this CVE is not on CISA's Known Exploited Vulnerabilities (KEV) list, meaning no confirmed active exploitation has been disclosed. However, given the privilege escalation nature and Windows ubiquity, organizations should assume adversaries will weaponize this post-disclosure and patch proactively rather than reactively.
This analysis is provided for informational purposes and reflects publicly disclosed vulnerability data current as of June 2026. CVSS scores, patch version numbers, and affected product lists are sourced from official Microsoft and NIST documentation. Organizations should verify patch availability and compatibility with their specific environments before deployment. SEC.co makes no warranty regarding the completeness or accuracy of third-party patch information and recommends consulting official vendor advisories. This summary does not constitute professional security advice; engage qualified security professionals for deployment decisions. Exploit code and weaponization techniques are not provided; security researchers should report findings responsibly to Microsoft before public disclosure. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42836HIGHWindows Function Discovery Service Race Condition Privilege Escalation
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42978HIGHWindows Push Notifications Privilege Escalation (CVSS 7.8)
- CVE-2026-42979HIGHWindows Push Notifications Privilege Escalation (Race Condition)
- CVE-2026-42991HIGHWindows Push Notifications Race Condition Privilege Escalation (CVSS 7.8)
- CVE-2026-45601HIGHWindows AFD WinSock Race Condition Privilege Escalation
- CVE-2026-45603HIGHWindows AFD Race Condition Privilege Escalation Vulnerability