HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45598Published Modified CNA microsoft

CVE-2026-45598: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
6.2.9200.26132
Affected Products
20

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Windows Ancillary Function Driver for WinSock (afd.sys), a kernel-mode driver that handles socket operations on Windows. The flaw is exploitable locally by any attacker who already holds a low-privilege account on the affected system, with no network access or victim interaction required, though exploitation requires overcoming high-complexity conditions such as precise memory layout or timing constraints. Successful exploitation grants the attacker full control over the host, elevating from a standard user to kernel-level privileges with complete read, write, and availability impact. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows base images.

HarborGuard Coverage

Detection

Detection of CVE-2026-45598 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Microsoft and NVD feeds, including custom-built images that layer on affected Windows base layers. Coverage extends to all container images in connected registries and CI/CD pipelines without requiring manual configuration.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.0 (High) and weighting it against each customer organization's compliance policy to determine urgency and routing. Triage results are available for delivery to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Patched-image rebuilds against the applicable fix versions (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and their Windows 11 equivalents) are available on HarborGuard for environments running affected base images. For customers who opt into auto-remediation, HarborGuard can perform a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger the vulnerability.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials to attempt exploitation.

  • Victim interactionNot required

    No action by another user or administrator is needed; the attacker can trigger the vulnerability entirely through their own process.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker must satisfy specific memory layout or timing conditions that are not reliably reproducible without additional preparation.

Blast Radius

  • A successful attacker gains kernel-level code execution, reading any memory on the host including secrets, credentials, and session tokens held by other processes.
  • The attacker can write to arbitrary kernel memory, modifying security policy, access tokens, or persisted data belonging to any process or user on the system.
  • The attacker can crash or destabilize the kernel, causing a system halt or blue-screen that takes the entire host offline.
  • Because privilege is elevated to the kernel, any container or process isolation on the affected host is subject to escape or bypass.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45598 is active across connected registries and pipelines, matching affected Windows base image versions as soon as the CVE was ingested. For environments running impacted Windows 10 or Windows 11 base layers, a patched-image rebuild at the appropriate fix version is available. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute a regression test run, and open a pull request against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits automated remediation, no manual triage step is required to initiate the rebuild workflow. Customers who have not enabled auto-remediation can review the flagged images in the HarborGuard dashboard and initiate a manual rebuild from the CVE detail view.

See how HarborGuard automates this

Fix available

6.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1607
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2012
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 (Server Core installation)
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 R2
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2012 R2 (Server Core installation)
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References