CVE-2026-45596: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.0
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
Use-after-free vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock allows a local attacker to elevate privileges on affected Windows systems. Exploitation requires a low-privilege account on the target host but no network access or user interaction; the attacker must win a race condition to trigger the memory corruption. Successful exploitation gives the attacker full control over the system, enabling arbitrary code execution at elevated (kernel-level) privileges. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: CVE-2026-45596 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images layered on affected Windows base images. Any image whose installed AFD driver version falls within the affected ranges is flagged automatically in the pipeline scan results.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.0 (HIGH) and weighting it further based on each customer organization's compliance policy, for example policies that treat local-privilege-escalation findings on Windows base images as critical-priority. Routed findings can be directed to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableA patched-image rebuild targeting the applicable fix versions (such as 10.0.14393.9234, 10.0.17763.8880, and 10.0.19044.7417 for the relevant Windows 10 branches) is available on HarborGuard for affected images. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrator or system-level credentials to attempt exploitation.
- Victim interactionNot required
No user interaction is needed; the attacker triggers the vulnerability entirely through their own process activity.
- Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must successfully win a race condition or satisfy other timing-dependent environmental factors to corrupt memory and gain elevated privileges.
Blast Radius
- A successful attacker gains kernel-level code execution on the compromised host.
- The attacker can read any data on the system, including credentials, session tokens, and sensitive files belonging to other users or processes.
- The attacker can modify or delete any files, registry keys, or persisted data on the host.
- The attacker can crash or disable system services, causing a denial of service for all workloads running on the host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-45596 is active for all images built on affected Windows base image versions, with results available within minutes of image ingestion or CVE publication. Triage scoring is applied at CVSS 7.0 HIGH, and compliance policy weighting can escalate local-privilege-escalation findings further based on each organization's risk posture. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding affected images at the patched versions, running regression tests, and opening a PR against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, HarborGuard surfaces the finding with the specific affected version range and the corresponding fix version so that engineering teams can plan the update manually.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C