HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45601Published Modified CNA microsoft

CVE-2026-45601: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
6.2.9200.26132
Affected Products
20

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in the Windows Ancillary Function Driver (AFD) for WinSock allows a local attacker with a low-privilege account to escalate their privileges on the affected host. The exploit runs entirely on the local machine, requires no network access, and succeeds only when the attacker can win a timing race or satisfy specific memory-layout conditions. Successful exploitation gives the attacker full control over the affected system, covering confidentiality, integrity, and availability. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows versions.

HarborGuard Coverage

Detection

Detection for CVE-2026-45601 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built Windows container images. Any image whose base layer falls within the affected version ranges for Windows 10 or Windows 11 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.0 (HIGH) and weighting it further against each customer org's per-environment compliance policy, such as stricter thresholds for production or internet-facing workloads. Triage findings are routable to the appropriate team inbox within each customer organization based on those policy settings.

Available
Patch

Patched-image rebuilds at the applicable fix versions (including 10.0.14393.9234, 10.0.17763.8880, and 10.0.19044.7417 among others) are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrator or system-level credentials to attempt exploitation.

  • Victim interactionNot required

    No user interaction is needed; the attacker executes the exploit entirely through their own process without involving another user.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must satisfy specific timing or memory-layout conditions, such as winning a race to trigger the use-after-free window, before the privilege escalation succeeds.

Blast Radius

  • A successful attacker reads arbitrary memory from the kernel, exposing credential material, session tokens, or other sensitive data held by higher-privilege processes.
  • The attacker writes to protected kernel structures, allowing modification of security policies, audit settings, or persisted configuration data.
  • The attacker gains SYSTEM-level code execution on the host, giving full control over all processes and resources running on that machine.
  • Kernel-level tampering can crash the affected service or trigger a system-wide fault, causing a denial of service for all workloads on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45601 is matched against Windows-based container images as soon as the CVE enters upstream feeds, covering both base images pulled from public registries and custom images built internally. For environments running an affected Windows 10 or Windows 11 base layer, a rebuilt image at the appropriate fix version becomes available immediately upon ingestion of the upstream patch. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image, executes a regression test run, and opens a pull request against the impacted workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Because this is a local privilege-escalation bug requiring an existing foothold, customers who want to reduce risk before a rebuild is deployed can apply compensating controls through HarborGuard's network-policy recommendations: isolating container workloads to prevent lateral movement in the event a low-privilege process is compromised limits the practical blast radius while the patch is staged.

See how HarborGuard automates this

Fix available

6.2.9200.261326.3.9600.2322810.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1607
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2012
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 (Server Core installation)
    < 6.2.9200.26132 (from 6.2.9200.0)
  • Microsoft / Windows Server 2012 R2
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2012 R2 (Server Core installation)
    < 6.3.9600.23228 (from 6.3.9600.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References