HIGH 7.0

CVE-2026-45598: Windows AFD.sys Race Condition Privilege Escalation (CVSS 7.0)

A race condition in Windows' Ancillary Function Driver for WinSock (AFD.sys) allows an attacker who already has local access to a system to escalate their privileges to a higher level. The vulnerability stems from improper synchronization when the driver handles shared resources, meaning that under specific timing conditions, an attacker can exploit the flaw to gain elevated permissions. This is not a remote attack—the attacker must already have a foothold on the machine, such as a low-privileged user account or compromised application context.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45598 is a local privilege escalation vulnerability arising from a race condition (CWE-362) in the Ancillary Function Driver for WinSock (AFD.sys). The driver fails to properly synchronize access to shared resources during concurrent operations, allowing an authenticated local user to manipulate timing conditions and execute code with elevated privileges. The CVSS 3.1 score of 7.0 (HIGH) reflects the requirement for local access and moderate complexity, balanced against the potential for complete system compromise (confidentiality, integrity, and availability impact all rated HIGH). The vulnerability affects a broad range of Windows versions spanning Windows 10 (releases 1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server editions (2012 through 2025).

Business impact

An attacker exploiting this vulnerability could gain administrative or system-level access to affected machines, enabling lateral movement within enterprise networks, persistence mechanisms, and access to sensitive data. For organizations managing Windows desktops and servers at scale, this represents a post-compromise escalation risk—once an attacker has obtained user-level access through phishing, software vulnerability, or misconfigurations, they can use this flaw to break out of sandboxed contexts or low-privilege accounts. Financial impact includes incident response costs, potential data exfiltration or encryption, and operational disruption.

Affected systems

The vulnerability affects Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2012, 2016, 2019, 2022, and 2025. Coverage is broad across consumer and enterprise operating systems. Organizations should assume their Windows infrastructure is affected unless running a patched build confirmed by Microsoft's official advisory.

Exploitability

Exploitation requires local authenticated access (PR:L in the CVSS vector), meaning the attacker must first establish a presence on the target system—not a remote attack from the internet. The attack complexity is rated HIGH, indicating that successful exploitation depends on timing or other conditional factors inherent to a race condition, which may require multiple attempts or specific system configurations. While the barrier to entry is not trivial, an attacker with even low-privilege user access or code execution in a restricted context (e.g., an application sandbox or service account) can attempt to trigger the race condition and escalate privileges. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but absence from KEV does not indicate low risk—it may reflect that active exploitation has not yet been publicly documented or reported to federal agencies.

Remediation

Security updates from Microsoft addressing this vulnerability are the primary remediation. Organizations should consult Microsoft's security bulletin and patch guidance for CVE-2026-45598 to identify the specific Windows update version that resolves the AFD.sys synchronization issue. Immediate patching is advisable given the broad product coverage and the privilege escalation risk. Pending patch deployment, mitigations may include restricting local user account creation, enforcing application whitelisting to limit code execution, and monitoring for unusual privilege escalation attempts or AFD-related system calls.

Patch guidance

Contact Microsoft directly or visit the Microsoft Security Update Guide for the official patch version numbers applicable to your specific Windows version and release. Verify patch applicability before deployment in your environment. Test updates in a controlled setting (development or staging systems) before broad rollout to production. For enterprise deployments, coordinate with your change management process and schedule patching during maintenance windows to minimize disruption. Windows Update and Windows Server Update Services (WSUS) will deliver the patch automatically if automatic updates are enabled; alternatively, manual download from the Microsoft Update Catalog is available.

Detection guidance

Monitor for suspicious privilege escalation attempts on Windows systems, particularly those involving low-privilege processes attempting to gain system or administrative context. Endpoint Detection and Response (EDR) solutions should flag unusual access patterns to shared kernel resources or unexpected elevation of privileges without corresponding administrator action. Network-level detection is limited since the attack is local; focus on behavioral indicators such as rapid repeated system calls to AFD functions, unexpected thread creation with elevated tokens, or audit log events indicating privilege change. Windows Security Event Log events 4688 (Process Creation) with privilege elevation and 4673 (Sensitive Privilege Use) may indicate exploitation attempts.

Why prioritize this

This vulnerability merits high priority due to its HIGH CVSS score, broad impact across Windows 10, 11, and Server editions spanning from legacy to current releases, and the direct path to privilege escalation. While local access is required, the presence of this flaw in widely deployed systems means that any post-compromise scenario (malware installation, supply-chain compromise, insider threat) becomes significantly more dangerous. The race condition nature suggests it may be reliably exploitable under certain conditions, increasing the likelihood that threat actors will eventually weaponize it if they have not already.

Risk score, explained

The CVSS 3.1 score of 7.0 (HIGH) balances multiple factors: (1) Attack Vector LOCAL—the attacker must have local system access, not remote; (2) Attack Complexity HIGH—the race condition requires specific timing or conditions, not a straightforward deterministic exploit; (3) Privileges Required LOW—any authenticated local user can attempt exploitation; (4) User Interaction NONE—no user action is needed once the attacker code executes; (5) Scope UNCHANGED—the privilege escalation affects only the vulnerable system; (6) All three impact categories (Confidentiality, Integrity, Availability) are rated HIGH—a successful attack grants near-complete control of the system. The HIGH severity reflects the severity of impact balanced against the moderate barrier to triggering the flaw.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. This is a local privilege escalation vulnerability. The attacker must already have authenticated access to the system—either a user account, compromised application running with limited privileges, or code execution in a restricted context. It does not allow an unauthenticated attacker to compromise a machine from the network or internet.

Is this vulnerability actively being exploited in the wild?

As of the published date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed public report of active exploitation. However, absence from KEV does not guarantee the vulnerability is not exploited—only that exploitation has not been formally documented. Organizations should treat it as a real risk and prioritize patching.

Can I mitigate this without patching immediately?

Patching is the definitive fix. Short-term mitigations might include restricting creation of new local user accounts, enforcing application whitelisting or code integrity policies, and tightening privilege escalation audit logging. However, these are partial controls and do not eliminate the underlying vulnerability. Plan for prompt patching as the primary remediation.

Which Windows versions are affected?

Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 23H2, 24H2, 25H2, 26H1), and Windows Server (2012, 2016, 2019, 2022, 2025) are all affected. Consult Microsoft's official advisory to confirm the exact build numbers and patch versions for your environment.

This analysis is provided for informational purposes and reflects the ground-truth vulnerability data available as of the published date. CVSS scores, affected product versions, and patch details are sourced from official vendor advisories. Organizations must verify all patch version numbers and compatibility with their environment directly against Microsoft's security bulletins before deployment. This vulnerability is not listed in CISA's KEV catalog; absence from KEV does not indicate low risk. No exploit code or weaponized proof-of-concept is disclosed. Organizations are responsible for assessing their own risk posture and implementing appropriate mitigations and updates in their environments. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).