HIGH 7.0

CVE-2026-45603: Windows AFD Race Condition Privilege Escalation Vulnerability

A race condition vulnerability exists in Windows' Ancillary Function Driver for WinSock (AFD) that allows an authorized local user to escalate privileges to a higher level on the system. The flaw arises from improper synchronization when multiple processes access a shared resource simultaneously, creating a narrow window of opportunity for an attacker to manipulate the driver's behavior. An authenticated user with basic local access can exploit this to gain elevated privileges, potentially achieving full system compromise. This is not a remote vulnerability and requires the attacker already has some level of access to the target machine.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362, CWE-416
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45603 is a use-after-free race condition (CWE-362, CWE-416) in the Windows AFD kernel driver. The vulnerability stems from improper synchronization of concurrent access to shared kernel resources. An authorized local user can trigger a specific sequence of operations that causes the driver to dereference memory that has been freed by another thread, or to access shared data without adequate locking mechanisms. By carefully timing operations or creating contention for the affected resource, an attacker can corrupt kernel memory structures or execute arbitrary code in kernel context. The attack surface requires prior local code execution capability and relies on race condition timing that may require multiple attempts.

Business impact

Organizations running affected Windows systems face elevated risk of unauthorized privilege escalation from standard user accounts to system-level access. In multi-tenant or shared computing environments (thin clients, virtualized desktops, terminal servers), this represents a direct path to lateral movement and complete host compromise. Workstations and servers where local user accounts have restricted but legitimate access—such as application service accounts, contractor systems, or developer machines—become vectors for full system takeover. The impact extends to potential compromise of sensitive data, installation of persistent malware, and circumvention of application-level security controls.

Affected systems

The vulnerability affects a broad range of Windows platforms: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2012, 2016, 2019, 2022, and 2025. Given this widespread coverage across both client and server editions spanning multiple years of release cycles, the vast majority of Windows deployments require attention. Organizations should assume nearly all Windows infrastructure may be affected unless explicitly running a patched build.

Exploitability

Exploitation requires an attacker to already possess local user-level access to a target system—this is not remotely exploitable. The CVSS vector (AC:H) indicates attack complexity is high, reflecting the race condition timing difficulty. However, successful exploitation has been demonstrated as feasible in research contexts. The barrier to exploitation is lower in environments where local accounts are common (development teams, shared lab machines, contractor access) than in locked-down enterprise desktops. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the attack pattern is well-understood in kernel exploitation literature, making public proof-of-concept code a credible future risk.

Remediation

Microsoft has released security updates for all affected Windows versions. Organizations should prioritize patching based on operational criticality and exposure level: servers and workstations with broad user access or service accounts take highest priority. Verify patches are applied by checking Windows Update history and confirming the latest cumulative update installation. For systems where immediate patching is not feasible, mitigate by restricting local user account creation and enforcing strong access controls; however, this is a temporary measure only and full patching remains mandatory.

Patch guidance

Obtain and apply the latest cumulative security update for your Windows version from Microsoft's official channels (Windows Update, WSUS, or direct download from Microsoft.com). Each Windows version—10 vs. 11, and specific release versions (1607, 22H2, etc.)—requires its own corresponding patch. Verify the update has been installed by running 'Get-HotFix' in PowerShell or checking Settings > Update & Security > Update History. Test patches in a non-production environment first, particularly on servers running mission-critical applications. Establish a rollout schedule that balances security urgency against change management windows; given the high severity and broad applicability, aim to complete deployment within 30 days of patch availability.

Detection guidance

Monitor for suspicious kernel-mode access patterns and memory corruption errors using Windows Event Viewer (Event ID 41 for unexpected shutdowns, Event ID 1001 for kernel errors). Enable kernel-mode crash dump analysis to detect exploitation attempts that trigger memory violations. Endpoint Detection and Response (EDR) tools should flag unusual sequences of AFD driver I/O control (IOCTL) calls from non-system processes or repeated IOCTL invocations in rapid succession. Look for local privilege escalation behaviors: a standard user process spawning child processes with elevated tokens, unexpected system process creation, or unusual access to %SystemRoot%\System32. Security Information and Event Management (SIEM) systems should correlate local logon events followed shortly by administrative process creation from the same source.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH severity rating, broad platform coverage, privilege escalation impact, and the authenticated-but-local attack vector that is realistic in many environments. While not currently exploited in the wild (per KEV status), the technical nature of the flaw—a kernel race condition—is well within the capability of sophisticated threat actors. Organizations should treat this as a critical patch cycle item. The combination of high CVSS score (7.0), impactful outcome (full system compromise), and the ubiquity of Windows across enterprise infrastructure creates substantial aggregate organizational risk.

Risk score, explained

The CVSS 3.1 score of 7.0 (HIGH) reflects: (1) local attack vector requiring prior access, (2) high attack complexity due to race condition timing, (3) low privilege requirement (standard user), (4) no user interaction needed, and (5) high impact across confidentiality, integrity, and availability. The scope is unchanged (attacker impact is limited to the affected component). This score appropriately captures the severity for an authenticated privilege escalation: serious enough to demand urgent patching, but not as critical as an unauthenticated remote code execution vulnerability. Organizations with strict authorization models may assess their individual risk lower; however, the default posture should assume the vulnerability is exploitable in your environment.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-45603 requires the attacker to already have local user-level access to the system. It cannot be exploited over the network without first gaining local code execution through another means. However, once an attacker has any local foothold—even a restricted user account—this flaw provides a path to complete system control.

Do we need to patch if our users don't have local administrator rights?

Yes. The vulnerability allows a standard (non-administrator) user to escalate to system-level privileges. Restricting administrator rights is a good security practice, but it does not mitigate this particular flaw. All users with local accounts on affected systems should be treated as potential attackers, making patching mandatory regardless of permissions model.

Is there a workaround if we can't patch immediately?

There is no complete workaround. Temporary mitigations include disabling unnecessary local user accounts, enforcing strong authentication on shared systems, and monitoring for exploitation attempts via EDR. However, these measures are not substitutes for patching. Prioritize patches within your change management process and aim for full deployment as soon as operationally feasible.

How do we verify the patch is installed correctly?

On Windows 10 and 11, go to Settings > Update & Security > Update History and verify the latest cumulative update is listed. Alternatively, run 'Get-HotFix' in PowerShell to list installed patches. For servers using WSUS or System Center, confirm the update is approved, deployed, and reporting as installed on target systems. Always test patches in a lab or non-production environment first.

This analysis is provided for informational purposes to assist security professionals in understanding and remediating CVE-2026-45603. SEC.co does not provide legal, compliance, or operational risk assessment. Organizations must evaluate their own risk tolerance, asset inventory, and regulatory obligations. Patch version information and affected product lists should be verified against Microsoft's official security advisories before deployment. This document does not constitute professional security advice; consult your organization's security team and Microsoft support for your specific environment. The vulnerability landscape and exploitation status may change; monitor official channels for updates. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).