CVE-2026-34335: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.0
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock allows a local attacker with a low-privilege account to elevate their privileges on the affected host. The flaw is reached locally and requires no network exposure, but the attacker must already hold a valid user account on the system. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the host. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected Windows version.
HarborGuard Coverage
Detection of CVE-2026-34335 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Windows-based container images, in connected registries and CI pipelines.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.0 (HIGH) and weighting that score against each customer organization's compliance policy to determine urgency and routing, directing findings to the appropriate team inbox within each customer environment.
AvailableA patched-image rebuild at the applicable fix version (for example, 10.0.14393.9234 for Windows 10 1607, or 10.0.19044.7417 for Windows 10 21H2) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes regression tests, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the vulnerable service is required.
- AuthenticationRequired
Any low-privilege local user account is sufficient; no administrative credentials are needed to attempt exploitation.
- Victim interactionNot required
The attacker does not need to trick or involve another user; the exploit executes without any user interaction.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker likely depends on specific race conditions, timing windows, or memory layout factors to trigger the use-after-free reliably.
Blast Radius
- A successful attacker reads protected files, credentials, and memory belonging to other processes on the host.
- The attacker writes or modifies system files, registry keys, and process memory, enabling persistent changes to the host.
- The attacker can crash or hang the affected Windows kernel driver, disrupting network socket operations for all processes on the host.
- Because all three impact dimensions (confidentiality, integrity, availability) are rated HIGH, a fully weaponized exploit effectively gives the attacker kernel-level control of the compromised host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-34335 is matched against customer images within minutes of advisory publication, covering all Windows-based container images in connected registries and CI pipelines. For environments running an affected Windows version, a patched-image rebuild at the appropriate fix version is available once the upstream fix is confirmed. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the appropriate team inbox with the CVSS 7.0 HIGH score and policy-weighted priority so engineers can act manually. Because the exploit requires local access with a low-privilege account, compensating controls such as restricting interactive login to containers and enforcing least-privilege user policies can reduce exposure while patching is scheduled.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C