CVE-2026-45603: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.0
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys) allows a local attacker with a low-privilege account to escalate their privileges on the affected host. The attack is local-only and requires the attacker to already hold an authenticated session on the machine; no network exposure is involved. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the system. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows versions.
HarborGuard Coverage
Detection for CVE-2026-45603 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the Microsoft Security Response Center advisory. This matching capability covers custom-built Windows container images alongside images pulled from public or private registries.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 7.0 (HIGH) and weighting that score against each environment's compliance policy to surface findings at the appropriate priority. Routing rules can direct the finding to the correct team inbox within each customer organization based on image ownership and policy configuration.
AvailablePatched-image rebuilds targeting the applicable fix versions (for example, 10.0.14393.9234 for Windows 10 Version 1607 and corresponding builds for other affected releases) become available on HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard is capable of performing a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
- AuthenticationRequired
Any low-privilege authenticated account on the host is sufficient; no administrative rights are needed to begin the attack.
- Victim interactionNot required
No user interaction is required; the attacker can trigger the vulnerability entirely through their own actions.
- Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must contend with race conditions or specific memory layout conditions that make reliable triggering non-trivial.
Blast Radius
- A successful attacker gains the ability to read privileged memory, including credentials, tokens, and kernel data structures accessible only to elevated processes.
- The attacker can write to protected kernel or user-space memory, allowing persistent modification of security controls, audit logs, or application data.
- The attacker can crash or hang the affected Windows host, causing a full denial of service for all processes and workloads running on it.
- Because the vulnerability resides in the kernel-level WinSock driver, privilege escalation from a low-privilege container or user context to SYSTEM-level control is achievable.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is matched against all Windows container images in customer registries and CI pipelines within minutes of advisory ingestion. Triage is scored at CVSS 7.0 HIGH and can be weighted against per-environment compliance policies before routing to the appropriate team. Where compliance policy permits, patched-image rebuilds at the relevant fix versions are available; for customers with auto-remediation enabled, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in auto-remediation-enabled environments. Given that the CVSS exploit maturity is rated Unproven and a vendor fix is available, prioritizing the OS patch across affected Windows container base images is the most direct mitigation.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C