HIGH 7.0

CVE-2026-45601: Windows AFD WinSock Race Condition Privilege Escalation

A race condition in the Windows Ancillary Function Driver for WinSock allows someone already logged into a Windows system to escalate their privileges to a higher level of access. The vulnerability arises from improper synchronization of shared resources, meaning two processes can interfere with each other when accessing the same data simultaneously. An attacker with local user privileges can exploit this timing-dependent flaw to gain elevated system rights, though doing so requires specific conditions and is not trivial to reproduce reliably.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362, CWE-416
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45601 is a race condition (CWE-362) in the Windows Ancillary Function Driver for WinSock (AFD.sys) that permits local privilege escalation. The vulnerability stems from concurrent access to shared kernel resources without adequate synchronization mechanisms. The flaw is classified as CWE-416 (Use-After-Free), suggesting memory corruption may occur when multiple threads access freed resources. The CVSS v3.1 score of 7.0 (HIGH) reflects local attack vector, high attack complexity, and requirement for low privileges; impact is complete across confidentiality, integrity, and availability. No known exploits are currently tracked in CISA's Known Exploited Vulnerabilities catalog.

Business impact

Privilege escalation in Windows environments creates a direct path to lateral movement, data exfiltration, and persistence. A standard user account compromised or controlled by an attacker can become an administrator or SYSTEM-level account, enabling complete system compromise. In corporate environments, this multiplies the risk of endpoint breaches—particularly on shared workstations, remote access scenarios, or systems where user privilege separation is relied upon as a security boundary. Organizations with legacy Windows 10 versions still in production face extended risk exposure.

Affected systems

The vulnerability affects a wide range of Windows versions spanning over a decade: Windows 10 (releases 1607, 1809, 21H2, 22H2), Windows 11 (releases 23H2, 24H2, 25H2, 26H1), and Windows Server 2012, 2016, 2019, 2022, and 2025. Organizations running any supported or near-end-of-life Windows 10 release, as well as all current Windows 11 and Server 2022/2025 editions, require attention. The broad version coverage indicates the underlying driver code has remained vulnerable across major OS releases.

Exploitability

Exploitation requires local access and an existing user account on the target system—a reasonable threat model for insider threats, post-compromise lateral movement, or scenarios where an attacker has already gained initial footing via phishing or application vulnerability. The attack complexity is rated HIGH, meaning the vulnerability is not trivially exploitable; an attacker must understand and manipulate precise timing conditions around resource allocation and synchronization. No public exploit code is currently documented in the Known Exploited Vulnerabilities catalog, though the technical nature (race condition in kernel driver) suggests skilled adversaries can weaponize it.

Remediation

Microsoft patches addressing this vulnerability should be deployed through standard Windows Update mechanisms. Organizations must verify patch availability and compatibility for their specific Windows version and build number through official Microsoft security bulletins. Testing patches in non-production environments first is strongly recommended, particularly for Server 2012 and Server 2016 installations approaching end-of-support. For systems that cannot be patched immediately, isolating affected machines from untrusted user access and implementing application whitelisting can reduce risk.

Patch guidance

Verify patch availability from Microsoft's official security update portal and correlate patch versions with your installed Windows build numbers. Organizations should establish a phased rollout: prioritize internet-facing systems and administrative workstations first, then extend to general-purpose endpoints and servers. Windows Server 2012 is approaching end-of-support; consider using this vulnerability as a driver for migration planning to Server 2016 or newer. Apply patches outside production peak hours when feasible, and maintain detailed logs of patch deployment for audit purposes.

Detection guidance

Monitor for suspicious privilege escalation attempts by correlating Windows Security Event Log entries (Event ID 4672 for special privileges assigned, Event ID 4688 for process creation with elevated tokens). Watch for unexpected user-mode processes spawning child processes with SYSTEM or ADMIN privileges, particularly from service accounts or low-privilege user sessions. Kernel driver interaction anomalies (AFD.sys) may appear in kernel debugger logs or ETW (Event Tracing for Windows) traces; enable detailed process and thread creation auditing. Endpoint Detection and Response (EDR) tools should alert on privilege elevation events tied to WinSock operations.

Why prioritize this

While CVSS 7.0 is elevated, the requirement for local access and high attack complexity prevents this from being a critical remote threat. However, the breadth of affected Windows versions (Windows 10 across all modern releases, Windows 11, and all server variants) combined with the universality of the Ancillary Function Driver means nearly every Windows environment requires attention. Prioritize based on exposure: systems with high-privilege user account density (development, research, or shared workstations) and systems accessible to external contractors or partners warrant faster remediation. The race condition nature means exploit reliability is uncertain, reducing immediate threat severity but not urgency.

Risk score, explained

The CVSS 7.0 score appropriately reflects a serious but contained threat. Attack Vector (Local) and Attack Complexity (High) reduce the score from Critical; the lack of network exploitability is significant. However, the complete impact on confidentiality, integrity, and availability of the affected system (Scope Unchanged, all three CIA metrics High) elevates severity. The requirement for low privileges (a standard user account) is a notable weakness in the baseline security model. No CVSS Environmental adjustments are applied here, but organizations with high numbers of shared or contractor-accessible endpoints should rate their internal risk higher.

Frequently asked questions

Can this vulnerability be exploited remotely over the network?

No. The vulnerability requires an authenticated local user account on the target system. Remote exploitation is not possible; an attacker must already have shell access or user-level code execution on the machine.

What is the practical difference between a race condition and a use-after-free bug?

The race condition (CWE-362) describes the root cause: improper synchronization during concurrent access. The use-after-free (CWE-416) likely describes the consequence: when synchronization fails, memory may be freed while another thread still accesses it. Both are present in this vulnerability.

Should organizations running Windows 10 version 1607 deprioritize other security work to patch this immediately?

Windows 10 1607 reached end-of-service in May 2021; migration off this version should already be underway. However, any still-running instances should be prioritized for patching or decommissioning. Newer Windows 10 releases (22H2) and Windows 11 systems should follow standard patch management timelines.

Is there a workaround if we cannot patch immediately?

No direct workaround exists. Mitigation strategies include restricting local user account access on affected systems, enforcing application whitelisting to prevent privilege escalation tools, and using endpoint controls to monitor for suspicious privilege escalation attempts. These do not eliminate risk but reduce it.

This analysis is provided for informational purposes and reflects information available as of the publication date. Patch availability and severity may vary based on your specific Windows version and organizational risk profile. Always consult official Microsoft security advisories for authoritative patch information and compatibility details. SEC.co does not guarantee the completeness or timeliness of vulnerability intelligence and recommends validation against vendor advisories and your organization's vulnerability management systems. The presence or absence of known exploits does not guarantee future exploit availability. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).