CVE-2026-42911: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.0
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Windows Ancillary Function Driver for WinSock (afd.sys), a kernel-mode driver that handles WinSock networking operations on Windows. Exploitation requires local access and a low-privilege account, and succeeds only when specific timing or memory-layout conditions are met, reflecting the High attack complexity rating. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the affected host, effectively achieving kernel-level privilege escalation. Patched-image rebuilds at the relevant fix versions are available on HarborGuard for environments running an affected Windows version.
HarborGuard Coverage
Detection of CVE-2026-42911 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Microsoft's advisory) within minutes of publication and matched against all customer images, including custom-built Windows-based container images. Any image whose base layer carries an affected afd.sys build version is flagged automatically in the registry scan and in CI/CD pipeline checks.
AvailableHarborGuard surfaces this CVE with its CVSS 3.1 score of 7.0 (High), weighted further by any per-environment compliance policies that treat local privilege escalation on Windows workloads as critical. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailablePatched-image rebuilds pinned to the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and the corresponding Windows 11 builds) are available on HarborGuard for any environment running an affected image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the vulnerability does not require administrative or elevated credentials before exploitation.
- Victim interactionNot required
No user interaction is required; the attacker can trigger the vulnerability entirely through their own process without involving another user.
- Attack complexityDetail
Attack complexity is High, meaning the exploit depends on specific memory-layout or timing conditions that the attacker cannot fully control and may need multiple attempts to satisfy.
Blast Radius
- Reads arbitrary kernel memory, exposing credentials, session tokens, and other sensitive data held in kernel address space.
- Writes to kernel memory, allowing the attacker to modify security tokens and grant themselves SYSTEM-level privileges.
- Can crash or destabilize the affected system by corrupting kernel data structures, causing a denial-of-service condition.
- With SYSTEM-level access, the attacker can disable security tooling, install persistent backdoors, or pivot to other resources accessible from the compromised host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-42911 activates as soon as the advisory enters the ingest pipeline, typically within minutes of publication. For environments running affected Windows 10 or Windows 11 base images, rebuilt images at the patched versions are available for pull immediately. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads; for High-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding appears in the HarborGuard dashboard with affected image paths, the precise build version range, and links to Microsoft's official advisory so the owning team can act manually.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C