CVE-2026-45638: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys) affects multiple versions of Windows 10 and Windows 11. The flaw is reached locally and requires only a low-privilege account, with no network access or victim interaction needed. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the affected host, effectively achieving kernel-level privilege escalation. Patched-image rebuilds at the relevant fix versions are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Windows container images that bundle affected afd.sys versions.
AvailableHarborGuard surfaces this CVE with its CVSS v3.1 score of 7.8 (HIGH) and applies per-environment compliance policy weighting to determine urgency and route findings to the appropriate team inbox within each customer organization.
AvailablePatched-image rebuilds targeting the applicable fix versions (for example, 10.0.14393.9234 for Windows 10 1607 or 10.0.26100.8655 for Windows 11 24H2) are available on HarborGuard for environments running affected base images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or elevated credentials to trigger the vulnerability.
- Victim interactionNot required
No user action or social-engineering step is needed; the attacker can execute the exploit entirely through their own process.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Reads protected memory and sensitive data accessible to the kernel, including credentials and session state held in privileged processes.
- Writes to or corrupts kernel data structures, allowing persistent modification of security controls or system configuration.
- Crashes or destabilizes the operating system, causing an unplanned reboot or denial of service for all workloads on the host.
- Achieves kernel-level code execution, enabling installation of rootkits or bypass of container isolation boundaries.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any customer image containing an affected Windows base layer. Triage cards are generated with the 7.8 HIGH CVSS score and routed according to each environment's compliance policy. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the applicable patched version, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the fix-version details and affected image list in their HarborGuard dashboard to prioritize their own rebuild and redeployment cycle.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C