HIGH 7.8

CVE-2026-45638: Windows Ancillary Function Driver Privilege Escalation Vulnerability

A memory corruption flaw in Windows' Ancillary Function Driver for WinSock can allow an attacker with local system access to bypass privilege controls and gain full administrative rights. The vulnerability exists in how the driver handles network socket operations and does not require user interaction to exploit. An attacker would need to already have a foothold on the machine, but once they do, this bug becomes a direct path to system-level control.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-07-01

NVD description (verbatim)

Heap-based buffer overflow in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45638 is a heap-based buffer overflow (CWE-122) in the Windows Ancillary Function Driver for WinSock (afd.sys). The vulnerability allows an authenticated local attacker to write beyond allocated heap memory boundaries, corrupting adjacent data structures. By crafting malicious input to WinSock API calls, an attacker can overwrite critical kernel objects and achieve privilege escalation from a low-privilege user context to SYSTEM. The flaw affects multiple Windows 10 and Windows 11 releases, as well as Windows Server 2012 through 2025. No user interaction is required for exploitation.

Business impact

Organizations face an elevated risk of privilege escalation attacks in environments where insider threats or prior compromises exist. Once an attacker gains any user-level access—through phishing, malware, or a secondary vulnerability—they can weaponize this flaw to obtain full system control, leading to potential data exfiltration, lateral movement, and infrastructure compromise. The wide scope of affected Windows versions means patching demand will be significant across enterprise estates. Unpatched systems become stepping stones for multi-stage attacks.

Affected systems

All consumer and server Windows releases spanning Windows 10 (versions 1607, 1809, 21H2, 22H2) and Windows 11 (versions 23H2, 24H2, 25H2, 26H1) are affected. Enterprise deployments of Windows Server 2012, 2016, 2019, 2022, and 2025 are also in scope. Organizations with extended lifecycle support contracts for older Windows 10 versions (1607, 1809) and Server 2012 should note potential patch availability constraints; verify support status with Microsoft.

Exploitability

Exploitation requires local code execution with authenticated user privileges. The flaw cannot be triggered remotely over the network. However, the barrier to exploitation is low once an attacker is local—no special Windows Sandbox escape, no race condition timing, and no user interaction needed. Proof-of-concept development is straightforward for skilled adversaries. The attack vector remains bounded by the need for initial access, which prevents widespread remote worm-like propagation but makes this a critical link in multi-stage compromise chains.

Remediation

Microsoft security patches addressing this buffer overflow are the definitive remediation. Organizations should prioritize patching all affected Windows 10 and Windows 11 endpoints, as well as Windows Server infrastructure. For systems with extended support lifecycles, confirm patch availability before scheduling maintenance windows. Mitigating controls such as enforcing least-privilege accounts, disabling unnecessary network services, and monitoring for unusual privilege escalation activity can reduce exploitation risk on machines awaiting patches, but do not eliminate the vulnerability.

Patch guidance

Apply Microsoft's security update for CVE-2026-45638 as soon as feasible within your change management process. Microsoft typically bundles fixes into monthly Patch Tuesday releases; verify the specific KB article and update number through the Microsoft Security Update Guide. Test patches in a non-production environment first, particularly in server deployments where WinSock functionality may be heavily used. Organizations running Windows 10 versions 1607 and 1809 should confirm these versions remain in support or plan migration timelines alongside patching efforts.

Detection guidance

Monitor endpoint and host-based detection systems for anomalous heap corruption patterns, kernel debugger activity, or privilege escalation audit events. Look for processes attempting to interact with afd.sys through unusual WinSock API sequences or IOCTL calls. Windows Defender and third-party EDR solutions can flag suspicious kernel-mode activity and token impersonation attempts. Configure audit policies to log failed and successful privilege escalations. Behavioral baselines for your environment are essential—privilege escalation attempts are relatively rare in normal operations and should trigger investigation.

Why prioritize this

With a CVSS score of 7.8 (HIGH) and a straightforward local privilege escalation path, this vulnerability sits in the upper tier of operational risk. Absence from the CISA KEV catalog does not diminish its severity; it indicates no confirmed active exploitation at publication, but the technical simplicity and broad affected base make it an attractive target for sophisticated adversaries and insider threats. Any organization with multi-user systems or shared infrastructure should treat this as a high-priority patch cycle item, especially where users have network access, removable media, or supply chain touchpoints.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects the combination of local attack surface (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), and unchanged scope (S:U), balanced against high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of unrestricted system compromise achievable from an authenticated low-privilege account. Contextually, the lack of network exploitability and requirement for prior access prevent a critical score, but the completeness of post-compromise control justifies the HIGH severity classification.

Frequently asked questions

Do I need to be a system administrator to exploit this vulnerability?

No. The vulnerability can be exploited by any authenticated user account on the system, including service accounts, domain users, or local user accounts with minimal privileges. This makes it particularly dangerous in shared hosting environments, corporate multi-user machines, and scenarios where an attacker has already achieved initial code execution through other means.

Can this vulnerability be exploited over the network or only locally?

Exploitation is strictly local—an attacker must already have code execution on the target machine. The vulnerability cannot be triggered remotely via network protocols. However, this does not minimize risk; once an attacker gains any foothold (malware infection, phishing success, supply chain compromise), this bug becomes a reliable path to full system control.

Are Windows Server editions affected the same way as Windows 10 and 11?

Yes, Windows Server 2012 through 2025 all contain the same vulnerable afd.sys code and are equally affected. Server deployments may face additional risk if they host multi-tenant workloads or run network services that could be compromised. Patch these with the same priority as client endpoints.

Why isn't this vulnerability in CISA's Known Exploited Vulnerabilities catalog yet?

Inclusion in the KEV catalog is based on confirmed public exploitation, and as of the publication date, no confirmed active exploitation has been documented. This does not mean the vulnerability is low-risk or will remain unexploited indefinitely. Technical simplicity and breadth of affected platforms make it an attractive target; assume active exploitation may occur and prioritize patching accordingly.

This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. SEC.co does not provide guarantee of accuracy or completeness. Organizations should verify all technical details, affected product versions, and patch availability directly with Microsoft security advisories and vendor documentation. Patch testing should be performed in isolated lab environments before production deployment. No exploit code or weaponized proof-of-concept materials are provided herein. Consult official Microsoft Security Update Guide for definitive patch information and KB article references. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).